-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Detection Rules] Adding Documents for v8.9.8 Pre-Built Detection Rul…
…es (#4100) * Update latest docs * fixed links; updated downloadable updates description * removed references to deprecated rules * removed 'potential-dll-sideloading-via-trusted-microsoft-programs' * removed deprecations from summary --------- Co-authored-by: terrancedejesus <[email protected]>
- Loading branch information
1 parent
0cfac69
commit 19dd032
Showing
729 changed files
with
38,206 additions
and
1,586 deletions.
There are no files selected for viewing
122 changes: 122 additions & 0 deletions
122
...ges/8-9-8/prebuilt-rule-8-9-8-abnormal-process-id-or-lock-file-created.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
[[prebuilt-rule-8-9-8-abnormal-process-id-or-lock-file-created]] | ||
=== Abnormal Process ID or Lock File Created | ||
|
||
Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. | ||
|
||
*Rule type*: new_terms | ||
|
||
*Rule indices*: | ||
|
||
* logs-endpoint.events.* | ||
|
||
*Severity*: medium | ||
|
||
*Risk score*: 47 | ||
|
||
*Runs every*: 5m | ||
|
||
*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
||
*Maximum alerts per execution*: 100 | ||
|
||
*References*: | ||
|
||
* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ | ||
* https://twitter.com/GossiTheDog/status/1522964028284411907 | ||
* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf | ||
* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor | ||
|
||
*Tags*: | ||
|
||
* Domain: Endpoint | ||
* OS: Linux | ||
* Use Case: Threat Detection | ||
* Tactic: Execution | ||
* Threat: BPFDoor | ||
* Resources: Investigation Guide | ||
* Data Source: Elastic Defend | ||
|
||
*Version*: 210 | ||
|
||
*Rule authors*: | ||
|
||
* Elastic | ||
|
||
*Rule license*: Elastic License v2 | ||
|
||
|
||
==== Investigation guide | ||
|
||
|
||
[source, markdown] | ||
---------------------------------- | ||
## Triage and analysis | ||
### Investigating Abnormal Process ID or Lock File Created | ||
Linux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value. | ||
Linux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented. | ||
This rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files. | ||
#### Possible investigation steps | ||
- Retrieve the file and determine if it is malicious: | ||
- Check the contents of the PID files. They should only contain integer strings. | ||
- Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files. | ||
- Check the size of the subject file. Legitimate PID files should be under 10 bytes. | ||
- Check if the lock or PID file has high entropy. This typically indicates an encrypted payload. | ||
- Analysts can use tools like `ent` to measure entropy. | ||
- Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation. | ||
- Trace the file's creation to ensure it came from a legitimate or authorized process. | ||
- Investigate other alerts associated with the user/host during the past 48 hours. | ||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. | ||
- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. | ||
### False positive analysis | ||
- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious. | ||
- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions. | ||
### Response and remediation | ||
- Initiate the incident response process based on the outcome of the triage. | ||
- Isolate the involved host to prevent further post-compromise behavior. | ||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. | ||
- Block the identified indicators of compromise (IoCs). | ||
- Take actions to terminate processes and connections used by the attacker. | ||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. | ||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. | ||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). | ||
---------------------------------- | ||
|
||
==== Rule query | ||
|
||
|
||
[source, js] | ||
---------------------------------- | ||
host.os.type:linux and event.category:file and event.action:creation and | ||
user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and ( | ||
(process.name : ( | ||
bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp) | ||
) or ( | ||
process.executable : ( | ||
./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* | ||
)) | ||
) and not process.name : (go or git or containerd* or snap-confine) | ||
---------------------------------- | ||
|
||
*Framework*: MITRE ATT&CK^TM^ | ||
|
||
* Tactic: | ||
** Name: Execution | ||
** ID: TA0002 | ||
** Reference URL: https://attack.mitre.org/tactics/TA0002/ | ||
* Technique: | ||
** Name: Native API | ||
** ID: T1106 | ||
** Reference URL: https://attack.mitre.org/techniques/T1106/ |
130 changes: 130 additions & 0 deletions
130
...ackages/8-9-8/prebuilt-rule-8-9-8-access-to-a-sensitive-ldap-attribute.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
[[prebuilt-rule-8-9-8-access-to-a-sensitive-ldap-attribute]] | ||
=== Access to a Sensitive LDAP Attribute | ||
|
||
Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. | ||
|
||
*Rule type*: eql | ||
|
||
*Rule indices*: | ||
|
||
* winlogbeat-* | ||
* logs-system.* | ||
* logs-windows.* | ||
|
||
*Severity*: medium | ||
|
||
*Risk score*: 47 | ||
|
||
*Runs every*: 5m | ||
|
||
*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
||
*Maximum alerts per execution*: 100 | ||
|
||
*References*: | ||
|
||
* https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming | ||
* https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx | ||
* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136 | ||
|
||
*Tags*: | ||
|
||
* Domain: Endpoint | ||
* OS: Windows | ||
* Use Case: Threat Detection | ||
* Tactic: Credential Access | ||
* Tactic: Privilege Escalation | ||
* Use Case: Active Directory Monitoring | ||
* Data Source: Active Directory | ||
|
||
*Version*: 8 | ||
|
||
*Rule authors*: | ||
|
||
* Elastic | ||
|
||
*Rule license*: Elastic License v2 | ||
|
||
|
||
==== Investigation guide | ||
|
||
|
||
[source, markdown] | ||
---------------------------------- | ||
The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). | ||
Steps to implement the logging policy with Advanced Audit Configuration: | ||
``` | ||
Computer Configuration > | ||
Policies > | ||
Windows Settings > | ||
Security Settings > | ||
Advanced Audit Policies Configuration > | ||
Audit Policies > | ||
DS Access > | ||
Audit Directory Service Access (Success,Failure) | ||
``` | ||
---------------------------------- | ||
|
||
==== Rule query | ||
|
||
|
||
[source, js] | ||
---------------------------------- | ||
any where event.action == "Directory Service Access" and event.code == "4662" and | ||
not winlog.event_data.SubjectUserSid : "S-1-5-18" and | ||
winlog.event_data.Properties : ( | ||
/* unixUserPassword */ | ||
"*612cb747-c0e8-4f92-9221-fdd5f15b550d*", | ||
/* ms-PKI-AccountCredentials */ | ||
"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*", | ||
/* ms-PKI-DPAPIMasterKeys */ | ||
"*b3f93023-9239-4f7c-b99c-6745d87adbc2*", | ||
/* msPKI-CredentialRoamingTokens */ | ||
"*b7ff5a38-0818-42b0-8110-d3d154c97f24*" | ||
) and | ||
/* | ||
Excluding noisy AccessMasks | ||
0x0 undefined and 0x100 Control Access | ||
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 | ||
*/ | ||
not winlog.event_data.AccessMask in ("0x0", "0x100") | ||
---------------------------------- | ||
|
||
*Framework*: MITRE ATT&CK^TM^ | ||
|
||
* Tactic: | ||
** Name: Credential Access | ||
** ID: TA0006 | ||
** Reference URL: https://attack.mitre.org/tactics/TA0006/ | ||
* Technique: | ||
** Name: OS Credential Dumping | ||
** ID: T1003 | ||
** Reference URL: https://attack.mitre.org/techniques/T1003/ | ||
* Technique: | ||
** Name: Unsecured Credentials | ||
** ID: T1552 | ||
** Reference URL: https://attack.mitre.org/techniques/T1552/ | ||
* Sub-technique: | ||
** Name: Private Keys | ||
** ID: T1552.004 | ||
** Reference URL: https://attack.mitre.org/techniques/T1552/004/ | ||
* Tactic: | ||
** Name: Privilege Escalation | ||
** ID: TA0004 | ||
** Reference URL: https://attack.mitre.org/tactics/TA0004/ | ||
* Technique: | ||
** Name: Valid Accounts | ||
** ID: T1078 | ||
** Reference URL: https://attack.mitre.org/techniques/T1078/ | ||
* Sub-technique: | ||
** Name: Domain Accounts | ||
** ID: T1078.002 | ||
** Reference URL: https://attack.mitre.org/techniques/T1078/002/ |
114 changes: 114 additions & 0 deletions
114
...8-9-8/prebuilt-rule-8-9-8-account-discovery-command-via-system-account.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
[[prebuilt-rule-8-9-8-account-discovery-command-via-system-account]] | ||
=== Account Discovery Command via SYSTEM Account | ||
|
||
Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. | ||
|
||
*Rule type*: eql | ||
|
||
*Rule indices*: | ||
|
||
* winlogbeat-* | ||
* logs-endpoint.events.* | ||
* logs-windows.* | ||
|
||
*Severity*: low | ||
|
||
*Risk score*: 21 | ||
|
||
*Runs every*: 5m | ||
|
||
*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
||
*Maximum alerts per execution*: 100 | ||
|
||
*References*: None | ||
|
||
*Tags*: | ||
|
||
* Domain: Endpoint | ||
* OS: Windows | ||
* Use Case: Threat Detection | ||
* Tactic: Discovery | ||
* Tactic: Privilege Escalation | ||
* Resources: Investigation Guide | ||
* Data Source: Elastic Defend | ||
|
||
*Version*: 107 | ||
|
||
*Rule authors*: | ||
|
||
* Elastic | ||
|
||
*Rule license*: Elastic License v2 | ||
|
||
|
||
==== Investigation guide | ||
|
||
|
||
[source, markdown] | ||
---------------------------------- | ||
## Triage and analysis | ||
### Investigating Account Discovery Command via SYSTEM Account | ||
After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. | ||
This rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications. | ||
#### Possible investigation steps | ||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. | ||
- If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor. | ||
- Investigate other alerts associated with the user/host during the past 48 hours. | ||
- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities. | ||
### False positive analysis | ||
- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. | ||
### Response and remediation | ||
- Initiate the incident response process based on the outcome of the triage. | ||
- Isolate the involved hosts to prevent further post-compromise behavior. | ||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. | ||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. | ||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. | ||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). | ||
- Use the data collected through the analysis to investigate other machines affected in the environment. | ||
---------------------------------- | ||
|
||
==== Rule query | ||
|
||
|
||
[source, js] | ||
---------------------------------- | ||
process where host.os.type == "windows" and event.type == "start" and | ||
(?process.Ext.token.integrity_level_name : "System" or | ||
?winlog.event_data.IntegrityLevel : "System") and | ||
(process.name : "whoami.exe" or | ||
(process.name : "net1.exe" and not process.parent.name : "net.exe")) | ||
---------------------------------- | ||
|
||
*Framework*: MITRE ATT&CK^TM^ | ||
|
||
* Tactic: | ||
** Name: Discovery | ||
** ID: TA0007 | ||
** Reference URL: https://attack.mitre.org/tactics/TA0007/ | ||
* Technique: | ||
** Name: System Owner/User Discovery | ||
** ID: T1033 | ||
** Reference URL: https://attack.mitre.org/techniques/T1033/ | ||
* Tactic: | ||
** Name: Privilege Escalation | ||
** ID: TA0004 | ||
** Reference URL: https://attack.mitre.org/tactics/TA0004/ | ||
* Technique: | ||
** Name: Valid Accounts | ||
** ID: T1078 | ||
** Reference URL: https://attack.mitre.org/techniques/T1078/ | ||
* Sub-technique: | ||
** Name: Local Accounts | ||
** ID: T1078.003 | ||
** Reference URL: https://attack.mitre.org/techniques/T1078/003/ |
Oops, something went wrong.