diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-executable-masquerading-as-kernel-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-executable-masquerading-as-kernel-process.asciidoc new file mode 100644 index 0000000000..e3e1551862 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-executable-masquerading-as-kernel-process.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-12-4-executable-masquerading-as-kernel-process]] +=== Executable Masquerading as Kernel Process + +Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name : ("kworker*", "kthread*") and process.executable != null + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-firsttime-seen-account-performing-dcsync.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-firsttime-seen-account-performing-dcsync.asciidoc new file mode 100644 index 0000000000..4ff1a5afcc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-firsttime-seen-account-performing-dcsync.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-12-4-firsttime-seen-account-performing-dcsync]] +=== FirstTime Seen Account Performing DCSync + +This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html +* https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md +* https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync +* https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring +* Data Source: Active Directory +* Resources: Investigation Guide + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating FirstTime Seen Account Performing DCSync + +Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data. + +Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object. + +Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate. + +More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). + +This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not. +- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). + +### False positive analysis + +- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert. +- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:("Directory Service Access" or "object-operation-performed") and event.code:"4662" and + winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or + *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or + *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and + not winlog.event_data.SubjectUserName:(*$ or MSOL_*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: DCSync +** ID: T1003.006 +** Reference URL: https://attack.mitre.org/techniques/T1003/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-kirbi-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-kirbi-file-creation.asciidoc new file mode 100644 index 0000000000..54b21f637a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-kirbi-file-creation.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-12-4-kirbi-file-creation]] +=== Kirbi File Creation + +Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 60m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-credential-access-via-dcsync.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-credential-access-via-dcsync.asciidoc new file mode 100644 index 0000000000..af2e6ed37c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-credential-access-via-dcsync.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-8-12-4-potential-credential-access-via-dcsync]] +=== Potential Credential Access via DCSync + +This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html +* https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md +* https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync +* https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via DCSync + +Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data. + +Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object. + +Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate. + +More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). + +This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not. +- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). + +### False positive analysis + +- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception. +- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action : ("Directory Service Access", "object-operation-performed") and + event.code == "4662" and winlog.event_data.Properties : ( + + /* Control Access Rights/Permissions Symbol */ + + "*DS-Replication-Get-Changes*", + "*DS-Replication-Get-Changes-All*", + "*DS-Replication-Get-Changes-In-Filtered-Set*", + + /* Identifying GUID used in ACE */ + + "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", + "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", + "*89e95b76-444d-4c62-991a-0facbeda640c*") + + /* The right to perform an operation controlled by an extended access right. */ + + and winlog.event_data.AccessMask : "0x100" and + not winlog.event_data.SubjectUserName : ( + "*$", "MSOL_*", "OpenDNS_Connector", "adconnect", "SyncADConnect", + "SyncADConnectCM", "aadsync", "svcAzureADSync", "-" + ) + + /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: DCSync +** ID: T1003.006 +** Reference URL: https://attack.mitre.org/techniques/T1003/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-enumeration-via-active-directory-web-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-enumeration-via-active-directory-web-service.asciidoc new file mode 100644 index 0000000000..ac423ea583 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-enumeration-via-active-directory-web-service.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-12-4-potential-enumeration-via-active-directory-web-service]] +=== Potential Enumeration via Active Directory Web Service + +Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/FalconForceTeam/SOAPHound + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=3m + [library where host.os.type == "windows" and + dll.name : ("System.DirectoryServices*.dll", "System.IdentityModel*.dll") and + not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + not process.executable : + ("?:\\windows\\system32\\dsac.exe", + "?:\\program files\\powershell\\?\\pwsh.exe", + "?:\\windows\\system32\\windowspowershell\\*.exe", + "?:\\windows\\syswow64\\windowspowershell\\*.exe", + "?:\\program files\\microsoft monitoring agent\\*.exe", + "?:\\windows\\adws\\microsoft.activedirectory.webservices.exe")] + [network where host.os.type == "windows" and destination.port == 9389 and source.port >= 49152 and + network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-modification-of-accessibility-binaries.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-modification-of-accessibility-binaries.asciidoc new file mode 100644 index 0000000000..8d622820f2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-potential-modification-of-accessibility-binaries.asciidoc @@ -0,0 +1,174 @@ +[[prebuilt-rule-8-12-4-potential-modification-of-accessibility-binaries]] +=== Potential Modification of Accessibility Binaries + +Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/blog/practical-security-engineering-stateful-detection + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Modification of Accessibility Binaries + +Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. + +More details can be found [here](https://attack.mitre.org/techniques/T1546/008/). + +This rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and + process.pe.original_file_name : "?*" and + process.args : + ( + "C:\\Windows\\System32\\osk.exe", + "C:\\Windows\\System32\\Magnify.exe", + "C:\\Windows\\System32\\Narrator.exe", + "C:\\Windows\\System32\\Sethc.exe", + "utilman.exe", + "ATBroker.exe", + "DisplaySwitch.exe", + "sethc.exe" + ) + and not process.pe.original_file_name in + ( + "osk.exe", + "sethc.exe", + "utilman2.exe", + "DisplaySwitch.exe", + "ATBroker.exe", + "ScreenMagnifier.exe", + "SR.exe", + "Narrator.exe", + "magnify.exe", + "MAGNIFY.EXE" + ) + +/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */ +/* and process.code_signature.subject_name == "Microsoft Windows" and process.code_signature.status == "trusted" */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Accessibility Features +** ID: T1546.008 +** Reference URL: https://attack.mitre.org/techniques/T1546/008/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Accessibility Features +** ID: T1546.008 +** Reference URL: https://attack.mitre.org/techniques/T1546/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-powershell-script-with-webcam-video-capture-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-powershell-script-with-webcam-video-capture-capabilities.asciidoc new file mode 100644 index 0000000000..254c9d251a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-powershell-script-with-webcam-video-capture-capabilities.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-12-4-powershell-script-with-webcam-video-capture-capabilities]] +=== PowerShell Script with Webcam Video Capture Capabilities + +Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Data Source: PowerShell Logs + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "NewFrameEventHandler" or + "VideoCaptureDevice" or + "DirectX.Capture.Filters" or + "VideoCompressors" or + "Start-WebcamRecorder" or + ( + ("capCreateCaptureWindowA" or + "capCreateCaptureWindow" or + "capGetDriverDescription") and + ("avicap32.dll" or "avicap32") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Video Capture +** ID: T1125 +** Reference URL: https://attack.mitre.org/techniques/T1125/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-remote-scheduled-task-creation-via-rpc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-remote-scheduled-task-creation-via-rpc.asciidoc new file mode 100644 index 0000000000..dcf730ec3c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-remote-scheduled-task-creation-via-rpc.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-12-4-remote-scheduled-task-creation-via-rpc]] +=== Remote Scheduled Task Creation via RPC + +Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.security* +* logs-windows.forwarded* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote Scheduled Task Creation + +[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value. + +#### Possible investigation steps + +- Review the TaskContent value to investigate the task configured action. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines. + +### False positive analysis + +- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents. + +### Related rules + +- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc +- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650 +- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Remove scheduled task and any other related artifacts. +- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "scheduled-task-created" and + winlog.event_data.RpcCallClientLocality : "0" and winlog.event_data.ClientProcessId : "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-startup-or-run-key-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-startup-or-run-key-registry-modification.asciidoc new file mode 100644 index 0000000000..381fa08294 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-startup-or-run-key-registry-modification.asciidoc @@ -0,0 +1,315 @@ +[[prebuilt-rule-8-12-4-startup-or-run-key-registry-modification]] +=== Startup or Run Key Registry Modification + +Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Startup or Run Key Registry Modification + +Adversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign. + +### Related rules + +- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff +- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0 +- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f +- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.data.strings != null and + registry.path : ( + /* Machine Hive */ + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", + /* Users Hive */ + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*" + ) and + /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */ + not registry.data.strings : "ctfmon.exe /n" and + not (registry.value : "Application Restart #*" and process.name : "csrss.exe") and + not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + not registry.data.strings : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and + not process.executable : ("?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\SysWOW64\\msiexec.exe") and + not ( + /* Logitech G Hub */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Logitech Inc" and + ( + process.name : "lghub_agent.exe" and registry.data.strings : ( + "\"?:\\Program Files\\LGHUB\\lghub.exe\" --background", + "\"?:\\Program Files\\LGHUB\\system_tray\\lghub_system_tray.exe\" --minimized" + ) + ) or + ( + process.name : "LogiBolt.exe" and registry.data.strings : ( + "?:\\Program Files\\Logi\\LogiBolt\\LogiBolt.exe --startup", + "?:\\Users\\*\\AppData\\Local\\Logi\\LogiBolt\\LogiBolt.exe --startup" + ) + ) + ) or + + /* Google Drive File Stream, Chrome, and Google Update */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Google LLC" and + ( + process.name : "GoogleDriveFS.exe" and registry.data.strings : ( + "\"?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe\" --startup_mode" + ) or + + process.name : "chrome.exe" and registry.data.strings : ( + "\"?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5", + "\"?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5" + ) or + + process.name : "GoogleUpdate.exe" and registry.data.strings : ( + "\"?:\\Users\\*\\AppData\\Local\\Google\\Update\\*\\GoogleUpdateCore.exe\"" + ) + ) + ) or + + /* MS Programs */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") and + ( + process.name : "msedge.exe" and registry.data.strings : ( + "\"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5", + "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --win-session-start", + "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start" + ) or + + process.name : ("Update.exe", "Teams.exe") and registry.data.strings : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"", + "?:\\ProgramData\\*\\Microsoft\\Teams\\Update.exe --processStart \"Teams.exe\" --process-start-args \"--system-initiated\"" + ) or + + process.name : "OneDriveStandaloneUpdater.exe" and registry.data.strings : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\\Microsoft.SharePoint.exe" + ) or + + process.name : "OneDriveSetup.exe" and + registry.data.strings : ( + "?:\\Windows\\system32\\cmd.exe /q /c * \"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\*\"", + "?:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe /background*", + "\"?:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe\" /background*", + "?:\\Program Files\\Microsoft OneDrive\\OneDrive.exe /background *", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\??.???.????.????\\Microsoft.SharePoint.exe" + ) or + + process.name : "OneDrive.exe" and registry.data.strings : ( + "\"?:\\Program Files\\Microsoft OneDrive\\OneDrive.exe\" /background", + "\"?:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe\" /background", + "\"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /background" + ) or + + process.name : "Microsoft.SharePoint.exe" and registry.data.strings : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\??.???.????.????\\Microsoft.SharePoint.exe" + ) or + + process.name : "MicrosoftEdgeUpdate.exe" and registry.data.strings : ( + "\"?:\\Users\\Expedient\\AppData\\Local\\Microsoft\\EdgeUpdate\\*\\MicrosoftEdgeUpdateCore.exe\"" + ) or + + process.executable : "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\Installer\\setup.exe" and + registry.data.strings : ( + "\"?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\Installer\\setup.exe\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon" + ) + ) + ) or + + /* Slack */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name in ( + "Slack Technologies, Inc.", "Slack Technologies, LLC" + ) and process.name : "slack.exe" and registry.data.strings : ( + "\"?:\\Users\\*\\AppData\\Local\\slack\\slack.exe\" --process-start-args --startup", + "\"?:\\ProgramData\\*\\slack\\slack.exe\" --process-start-args --startup", + "\"?:\\Program Files\\Slack\\slack.exe\" --process-start-args --startup" + ) + ) or + + /* Cisco */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and + ( + process.name : "WebexHost.exe" and registry.data.strings : ( + "\"?:\\Users\\*\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun" + ) + ) or + ( + process.name : "CiscoJabber.exe" and registry.data.strings : ( + "\"?:\\Program Files (x86)\\Cisco Systems\\Cisco Jabber\\CiscoJabber.exe\" /min" + ) + ) + ) or + + /* Loom */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Loom, Inc." and + process.name : "Loom.exe" and registry.data.strings : ( + "?:\\Users\\*\\AppData\\Local\\Programs\\Loom\\Loom.exe --process-start-args \"--loomHidden\"" + ) + ) or + + /* Adobe */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Adobe Inc." and + process.name : ("Acrobat.exe", "FlashUtil32_*_Plugin.exe") and registry.data.strings : ( + "\"?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\AdobeCollabSync.exe\"", + "\"?:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\AdobeCollabSync.exe\"", + "?:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\FlashUtil32_*_Plugin.exe -update plugin" + ) + ) or + + /* CCleaner */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name == "PIRIFORM SOFTWARE LIMITED" and + process.name : ("CCleanerBrowser.exe", "CCleaner64.exe") and registry.data.strings : ( + "\"C:\\Program Files (x86)\\CCleaner Browser\\Application\\CCleanerBrowser.exe\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\"Default\"", + "\"C:\\Program Files\\CCleaner\\CCleaner64.exe\" /MONITOR" + ) + ) or + + /* Opera */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Opera Norway AS" and + process.name : "opera.exe" and registry.data.strings : ( + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera\\launcher.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera GX\\launcher.exe" + ) + ) or + + /* Avast */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Avast Software s.r.o." and + process.name : "AvastBrowser.exe" and registry.data.strings : ( + "\"?:\\Users\\*\\AppData\\Local\\AVAST Software\\Browser\\Application\\AvastBrowser.exe\" --check-run=src=logon --auto-launch-at-startup*", + "\"?:\\Program Files (x86)\\AVAST Software\\Browser\\Application\\AvastBrowser.exe\" --check-run=src=logon --auto-launch-at-startup*", + "" + ) + ) or + + /* Grammarly */ + ( + process.code_signature.trusted == true and process.code_signature.subject_name == "Grammarly, Inc." and + process.name : "GrammarlyInstaller.exe" and registry.data.strings : ( + "?:\\Users\\*\\AppData\\Local\\Grammarly\\DesktopIntegrations\\Grammarly.Desktop.exe" + ) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-apt-package-manager-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-apt-package-manager-execution.asciidoc new file mode 100644 index 0000000000..94c285e43d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-apt-package-manager-execution.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-12-4-suspicious-apt-package-manager-execution]] +=== Suspicious APT Package Manager Execution + +Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name == "apt" and process.args == "-c" and process.name in ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" + ) + ] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", + "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk" + ) + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-apt-package-manager-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-apt-package-manager-network-connection.asciidoc new file mode 100644 index 0000000000..2558c2c6e9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-apt-package-manager-network-connection.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-12-4-suspicious-apt-package-manager-network-connection]] +=== Suspicious APT Package Manager Network Connection + +Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Command and Control +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name == "apt" and process.args == "-c" and process.name in ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" + ) + ] by process.entity_id + [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-dynamic-linker-discovery-via-od.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-dynamic-linker-discovery-via-od.asciidoc new file mode 100644 index 0000000000..c2f2414ff8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-dynamic-linker-discovery-via-od.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-12-4-suspicious-dynamic-linker-discovery-via-od]] +=== Suspicious Dynamic Linker Discovery via od + +Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/arget13/DDexec + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name == "od" and process.args in ( + "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2", + "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-file-downloaded-from-google-drive.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-file-downloaded-from-google-drive.asciidoc new file mode 100644 index 0000000000..37d93787f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-file-downloaded-from-google-drive.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-12-4-suspicious-file-downloaded-from-google-drive]] +=== Suspicious File Downloaded from Google Drive + +Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Command and Control + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where + + /* common browser processes */ + event.action in ("exec", "fork", "start") and + + process.name : ("Microsoft Edge", "chrome.exe", "Google Chrome", "google-chrome-stable", + "google-chrome-beta", "google-chrome", "msedge.exe", "firefox.exe", "brave.exe", + "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe", "firefox", + "powershell.exe", "curl", "curl.exe", "wget", "wget.exe") and + + /* Look for Google Drive download URL with AV flag skipping */ + (process.command_line : "*drive.google.com*" and process.command_line : "*export=download*" and process.command_line : "*confirm=no_antivirus*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-network-connection-via-systemd.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-network-connection-via-systemd.asciidoc new file mode 100644 index 0000000000..4627ebc3cb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-network-connection-via-systemd.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-12-4-suspicious-network-connection-via-systemd]] +=== Suspicious Network Connection via systemd + +Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Command and Control +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name == "systemd" and process.name in ( + "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk" + ) + ] by process.entity_id + [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-passwd-file-event-action.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-passwd-file-event-action.asciidoc new file mode 100644 index 0000000000..0362bdd982 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-passwd-file-event-action.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-12-4-suspicious-passwd-file-event-action]] +=== Suspicious Passwd File Event Action + +Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the "/etc/passwd" file. The "/etc/passwd" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the "/etc/passwd" file permissions or other privileges to add a new entry to the "/etc/passwd" file with root permissions, and leverage this new user account to login as root. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.pid with maxspan=1m + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.name == "openssl" and process.args == "passwd" and user.id != "0"] + [file where event.dataset == "auditd_manager.auditd" and host.os.type == "linux" and file.path == "/etc/passwd" and + process.parent.pid != 1 and not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-proc-maps-discovery.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-proc-maps-discovery.asciidoc new file mode 100644 index 0000000000..2eef5c3840 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rule-8-12-4-suspicious-proc-maps-discovery.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-12-4-suspicious-proc-maps-discovery]] +=== Suspicious /proc/maps Discovery + +Monitors for /proc/*/maps file reads. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/arget13/DDexec + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.entry_leader.name in ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rules-8-12-4-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rules-8-12-4-appendix.asciidoc new file mode 100644 index 0000000000..21c93ff548 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rules-8-12-4-appendix.asciidoc @@ -0,0 +1,22 @@ +["appendix",role="exclude",id="prebuilt-rule-8-12-4-prebuilt-rules-8-12-4-appendix"] += Downloadable rule update v8.12.4 + +This section lists all updates associated with version 8.12.4 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-12-4-executable-masquerading-as-kernel-process.asciidoc[] +include::prebuilt-rule-8-12-4-suspicious-dynamic-linker-discovery-via-od.asciidoc[] +include::prebuilt-rule-8-12-4-suspicious-proc-maps-discovery.asciidoc[] +include::prebuilt-rule-8-12-4-suspicious-apt-package-manager-execution.asciidoc[] +include::prebuilt-rule-8-12-4-suspicious-apt-package-manager-network-connection.asciidoc[] +include::prebuilt-rule-8-12-4-suspicious-network-connection-via-systemd.asciidoc[] +include::prebuilt-rule-8-12-4-suspicious-passwd-file-event-action.asciidoc[] +include::prebuilt-rule-8-12-4-powershell-script-with-webcam-video-capture-capabilities.asciidoc[] +include::prebuilt-rule-8-12-4-kirbi-file-creation.asciidoc[] +include::prebuilt-rule-8-12-4-potential-enumeration-via-active-directory-web-service.asciidoc[] +include::prebuilt-rule-8-12-4-suspicious-file-downloaded-from-google-drive.asciidoc[] +include::prebuilt-rule-8-12-4-firsttime-seen-account-performing-dcsync.asciidoc[] +include::prebuilt-rule-8-12-4-potential-credential-access-via-dcsync.asciidoc[] +include::prebuilt-rule-8-12-4-remote-scheduled-task-creation-via-rpc.asciidoc[] +include::prebuilt-rule-8-12-4-potential-modification-of-accessibility-binaries.asciidoc[] +include::prebuilt-rule-8-12-4-startup-or-run-key-registry-modification.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rules-8-12-4-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rules-8-12-4-summary.asciidoc new file mode 100644 index 0000000000..68e9ec5ac6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-4/prebuilt-rules-8-12-4-summary.asciidoc @@ -0,0 +1,44 @@ +[[prebuilt-rule-8-12-4-prebuilt-rules-8-12-4-summary]] +[role="xpack"] +== Update v8.12.4 + +This section lists all updates associated with version 8.12.4 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes. | new | 1 + +|<> | Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files. | new | 1 + +|<> | Monitors for /proc/*/maps file reads. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking. | new | 1 + +|<> | Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. | new | 1 + +|<> | Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. | new | 1 + +|<> | Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events. | new | 1 + +|<> | Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the "/etc/passwd" file. The "/etc/passwd" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the "/etc/passwd" file permissions or other privileges to add a new entry to the "/etc/passwd" file with root permissions, and leverage this new user account to login as root. | new | 1 + +|<> | Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims. | new | 3 + +|<> | Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. | new | 3 + +|<> | Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. | new | 1 + +|<> | Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice. | update | 3 + +|<> | This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. | update | 9 + +|<> | This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. | update | 112 + +|<> | Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement. | update | 8 + +|<> | Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. | update | 109 + +|<> | Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence. | update | 110 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 36d16bc35b..9b32f32741 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -13,6 +13,12 @@ For previous rule updates, please navigate to the https://www.elastic.co/guide/e |Update version |Date | New rules | Updated rules | Notes +|<> | 08 Feb 2024 | 10 | 6 | +This release includes new and tuned rules for Linux and Windows. +New rules for Linux include detection for discovery, persistence, privilege escalation and defense evasion. +New rules for Windows include detection for Active Directory enumeration. +Additionally, significant rule tuning for Windows, Linux and macOS rules has been added for better rule efficacy and performance. + |<> | 25 Jan 2024 | 19 | 165 | This release includes new rules for Windows, Linux, Containers and GitHub. New rules for Windows include detection for evasion via Windows Filtering Platform. @@ -41,3 +47,4 @@ Additionally, significant rule tuning for Windows, Linux and Okta rules has been include::downloadable-packages/8-12-1/prebuilt-rules-8-12-1-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-12-2/prebuilt-rules-8-12-2-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-12-3/prebuilt-rules-8-12-3-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-12-4/prebuilt-rules-8-12-4-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index cb3bcfefcb..9644f52514 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -242,7 +242,7 @@ and their rule type is `machine_learning`. |<> |Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application. |[Data Source: Okta], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.10.0 |207 -|<> |Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<> |Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 |<> |Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.3.0 |103 @@ -488,6 +488,8 @@ and their rule type is `machine_learning`. |<> |Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 +|<> |Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |8.3.0 |1 + |<> |Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |110 |<> |Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 @@ -532,7 +534,7 @@ and their rule type is `machine_learning`. |<> |Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Identity and Access Audit], [Tactic: Initial Access], [Resources: Investigation Guide] |8.4.0 |2 -|<> |Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration. |[Data Source: Elastic Defend], [Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Tactic: Collection], [Rule Type: BBR] |8.3.0 |1 +|<> |Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration. |[Data Source: Elastic Defend], [Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Tactic: Collection], [Rule Type: BBR] |8.3.0 |2 |<> |Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion] |8.3.0 |4 @@ -592,7 +594,7 @@ and their rule type is `machine_learning`. |<> |Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Exfiltration], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.4.0 |2 -|<> |This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory], [Resources: Investigation Guide] |8.4.0 |8 +|<> |This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory], [Resources: Investigation Guide] |8.4.0 |9 |<> |Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Log Auditing], [Use Case: Threat Detection] |8.4.0 |2 @@ -782,7 +784,7 @@ and their rule type is `machine_learning`. |<> |Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |106 -|<> |Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 +|<> |Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |3 |<> |This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously. |[Data Source: Kubernetes], [Tactic: Execution], [Tactic: Initial Access], [Tactic: Defense Evasion] |8.4.0 |6 @@ -1136,13 +1138,13 @@ and their rule type is `machine_learning`. |<> |Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |104 -|<> |This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |111 +|<> |This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |112 |<> |Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon Only] |8.8.0 |207 |<> |Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic:Execution], [Data Source: Sysmon Only] |8.8.0 |208 -|<> |Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<> |Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 |<> |Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Sysmon Only] |8.3.0 |107 @@ -1176,6 +1178,8 @@ and their rule type is `machine_learning`. |<> |Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<> |Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |1 + |<> |The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 |<> |Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |1 @@ -1226,8 +1230,6 @@ and their rule type is `machine_learning`. |<> |Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<> |Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control] |8.3.0 |2 - |<> |Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 |<> |Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Initial Access], [Tactic: Execution], [Rule Type: BBR] |8.3.0 |2 @@ -1240,11 +1242,13 @@ and their rule type is `machine_learning`. |<> |Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Rule Type: BBR] |8.3.0 |2 +|<> |Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |8.3.0 |1 + |<> |This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.6.0 |4 |<> |Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 -|<> |Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 +|<> |Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 |<> |This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. |[Domain: Network], [Tactic: Discovery], [Tactic: Reconnaissance], [Use Case: Network Security Monitoring] |8.3.0 |5 @@ -1432,7 +1436,7 @@ and their rule type is `machine_learning`. |<> |Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: PowerShell Logs] |8.3.0 |10 -|<> |Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |2 +|<> |Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: PowerShell Logs] |8.3.0 |3 |<> |Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Collection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |8 @@ -1550,7 +1554,7 @@ and their rule type is `machine_learning`. |<> |Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 -|<> |Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement] |8.3.0 |7 +|<> |Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement] |8.3.0 |8 |<> |Discovery of remote system information using built-in commands, which may be used to move laterally. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Rule Type: BBR] |8.3.0 |110 @@ -1672,7 +1676,7 @@ and their rule type is `machine_learning`. |<> |Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<> |Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 +|<> |Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |110 |<> |Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |108 @@ -1694,9 +1698,15 @@ and their rule type is `machine_learning`. |<> |Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |111 +|<> |Monitors for /proc/*/maps file reads. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |1 + +|<> |Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |1 + +|<> |Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Command and Control], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |1 + |<> |Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Initial Access] |8.10.0 |205 -|<> |Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |6 +|<> |Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |7 |<> |Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |105 @@ -1720,6 +1730,8 @@ and their rule type is `machine_learning`. |<> |Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.3.0 |4 +|<> |Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |8.3.0 |1 + |<> |Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |105 |<> |A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 @@ -1742,6 +1754,8 @@ and their rule type is `machine_learning`. |<> |This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |2 +|<> |Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control] |8.3.0 |3 + |<> |Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Defend] |8.3.0 |105 |<