From 4c1d22782aec6a1dbff26166cd1b8bbc195eeae3 Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 15 May 2024 14:34:38 +0000 Subject: [PATCH] Update latest docs --- ...-keychain-credentials-directories.asciidoc | 136 ++++++++ ...behavior-detected-elastic-endgame.asciidoc | 59 ++++ ...xecution-at-volume-root-directory.asciidoc | 73 +++++ ...ion-with-administrator-privileges.asciidoc | 111 +++++++ ...authorization-plugin-modification.asciidoc | 106 +++++++ ...credential-fetch-via-assumed-role.asciidoc | 124 ++++++++ ...-component-object-model-hijacking.asciidoc | 208 ++++++++++++ ...n-to-commonly-abused-web-services.asciidoc | 297 ++++++++++++++++++ ...-12-container-workload-protection.asciidoc | 60 ++++ ...-dumping-detected-elastic-endgame.asciidoc | 76 +++++ ...dumping-prevented-elastic-endgame.asciidoc | 76 +++++ ...pulation-detected-elastic-endgame.asciidoc | 72 +++++ ...ulation-prevented-elastic-endgame.asciidoc | 72 +++++ ...2-ami-shared-with-another-account.asciidoc | 118 +++++++ ...lt-rule-8-12-12-endpoint-security.asciidoc | 59 ++++ ...s-or-groups-via-built-in-commands.asciidoc | 127 ++++++++ ...-exploit-detected-elastic-endgame.asciidoc | 77 +++++ ...exploit-prevented-elastic-endgame.asciidoc | 77 +++++ ...uilt-rule-8-12-12-external-alerts.asciidoc | 68 ++++ ...ync-plugin-registered-and-enabled.asciidoc | 116 +++++++ ...ssword-retrieval-via-command-line.asciidoc | 117 +++++++ ...ller-package-spawns-network-event.asciidoc | 119 +++++++ ...-malware-detected-elastic-endgame.asciidoc | 59 ++++ ...malware-prevented-elastic-endgame.asciidoc | 59 ++++ ...-via-unsigned-or-untrusted-parent.asciidoc | 116 +++++++ ...on-theft-detected-elastic-endgame.asciidoc | 72 +++++ ...n-theft-prevented-elastic-endgame.asciidoc | 72 +++++ ...-via-docker-shortcut-modification.asciidoc | 101 ++++++ ...sistence-via-folder-action-script.asciidoc | 108 +++++++ ...tial-admin-group-account-addition.asciidoc | 107 +++++++ ...e-download-via-a-headless-browser.asciidoc | 108 +++++++ ...ential-persistence-via-login-hook.asciidoc | 117 +++++++ ...ershell-hacktool-script-by-author.asciidoc | 115 +++++++ ...h-count-of-readme-files-by-system.asciidoc | 125 ++++++++ ...somware-note-file-dropped-via-smb.asciidoc | 136 ++++++++ ...njection-detected-elastic-endgame.asciidoc | 72 +++++ ...jection-prevented-elastic-endgame.asciidoc | 72 +++++ ...pt-for-credentials-with-osascript.asciidoc | 111 +++++++ ...-by-unsigned-or-untrusted-process.asciidoc | 110 +++++++ ...nsomware-detected-elastic-endgame.asciidoc | 59 ++++ ...somware-prevented-elastic-endgame.asciidoc | 59 ++++ ...r-query-log-configuration-deleted.asciidoc | 123 ++++++++ ...ell-execution-via-apple-scripting.asciidoc | 101 ++++++ ...-suspicious-browser-child-process.asciidoc | 128 ++++++++ ...2-suspicious-file-renamed-via-smb.asciidoc | 138 ++++++++ ...ous-macos-ms-office-child-process.asciidoc | 168 ++++++++++ ...web-browser-sensitive-file-access.asciidoc | 115 +++++++ ...systemkey-access-via-command-line.asciidoc | 104 ++++++ ...via-microsoft-common-console-file.asciidoc | 124 ++++++++ ...12-webproxy-settings-modification.asciidoc | 104 ++++++ .../prebuilt-rules-8-12-12-appendix.asciidoc | 56 ++++ .../prebuilt-rules-8-12-12-summary.asciidoc | 112 +++++++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 108 ++++--- .../prebuilt-rules/rule-desc-index.asciidoc | 17 +- ...-keychain-credentials-directories.asciidoc | 29 +- ...behavior-detected-elastic-endgame.asciidoc | 17 +- ...xecution-at-volume-root-directory.asciidoc | 73 +++++ ...ion-with-administrator-privileges.asciidoc | 7 +- ...authorization-plugin-modification.asciidoc | 6 +- ...credential-fetch-via-assumed-role.asciidoc | 124 ++++++++ ...s-iam-login-profile-added-to-user.asciidoc | 75 +++++ .../component-object-model-hijacking.asciidoc | 109 ++----- ...n-to-commonly-abused-web-services.asciidoc | 7 +- .../container-workload-protection.asciidoc | 17 +- ...-dumping-detected-elastic-endgame.asciidoc | 17 +- ...dumping-prevented-elastic-endgame.asciidoc | 17 +- ...pulation-detected-elastic-endgame.asciidoc | 17 +- ...ulation-prevented-elastic-endgame.asciidoc | 17 +- ...2-ami-shared-with-another-account.asciidoc | 118 +++++++ .../rule-details/endpoint-security.asciidoc | 17 +- ...s-or-groups-via-built-in-commands.asciidoc | 27 +- .../exploit-detected-elastic-endgame.asciidoc | 17 +- ...exploit-prevented-elastic-endgame.asciidoc | 17 +- .../rule-details/external-alerts.asciidoc | 17 +- ...ync-plugin-registered-and-enabled.asciidoc | 12 +- ...ssword-retrieval-via-command-line.asciidoc | 9 +- ...ller-package-spawns-network-event.asciidoc | 8 +- .../malware-detected-elastic-endgame.asciidoc | 17 +- ...malware-prevented-elastic-endgame.asciidoc | 17 +- ...-via-unsigned-or-untrusted-parent.asciidoc | 116 +++++++ ...on-theft-detected-elastic-endgame.asciidoc | 17 +- ...n-theft-prevented-elastic-endgame.asciidoc | 17 +- ...-via-docker-shortcut-modification.asciidoc | 5 +- ...sistence-via-folder-action-script.asciidoc | 9 +- ...tial-admin-group-account-addition.asciidoc | 8 +- ...e-download-via-a-headless-browser.asciidoc | 108 +++++++ ...ential-persistence-via-login-hook.asciidoc | 5 +- ...ershell-hacktool-script-by-author.asciidoc | 115 +++++++ ...h-count-of-readme-files-by-system.asciidoc | 125 ++++++++ ...somware-note-file-dropped-via-smb.asciidoc | 136 ++++++++ ...njection-detected-elastic-endgame.asciidoc | 17 +- ...jection-prevented-elastic-endgame.asciidoc | 17 +- ...pt-for-credentials-with-osascript.asciidoc | 13 +- ...-by-unsigned-or-untrusted-process.asciidoc | 110 +++++++ ...nsomware-detected-elastic-endgame.asciidoc | 17 +- ...somware-prevented-elastic-endgame.asciidoc | 17 +- ...r-query-log-configuration-deleted.asciidoc | 123 ++++++++ ...ell-execution-via-apple-scripting.asciidoc | 6 +- .../suspicious-browser-child-process.asciidoc | 4 +- .../suspicious-file-renamed-via-smb.asciidoc | 138 ++++++++ ...ous-macos-ms-office-child-process.asciidoc | 86 +++-- ...web-browser-sensitive-file-access.asciidoc | 115 +++++++ ...systemkey-access-via-command-line.asciidoc | 5 +- ...via-microsoft-common-console-file.asciidoc | 124 ++++++++ .../webproxy-settings-modification.asciidoc | 5 +- ...e-installed-via-an-unusual-client.asciidoc | 15 +- docs/index.asciidoc | 2 + 108 files changed, 7563 insertions(+), 249 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-access-to-keychain-credentials-directories.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-adversary-behavior-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-apple-scripting-execution-with-administrator-privileges.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-authorization-plugin-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-component-object-model-hijacking.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-connection-to-commonly-abused-web-services.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-container-workload-protection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-dumping-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-dumping-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-manipulation-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-manipulation-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ec2-ami-shared-with-another-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-endpoint-security.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-enumeration-of-users-or-groups-via-built-in-commands.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-exploit-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-exploit-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-external-alerts.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-finder-sync-plugin-registered-and-enabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-keychain-password-retrieval-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-macos-installer-package-spawns-network-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-malware-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-malware-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-permission-theft-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-permission-theft-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-persistence-via-docker-shortcut-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-persistence-via-folder-action-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-admin-group-account-addition.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-file-download-via-a-headless-browser.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-persistence-via-login-hook.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-powershell-hacktool-script-by-author.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-ransomware-note-file-dropped-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-process-injection-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-process-injection-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-prompt-for-credentials-with-osascript.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ransomware-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ransomware-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-route53-resolver-query-log-configuration-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-shell-execution-via-apple-scripting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-browser-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-file-renamed-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-macos-ms-office-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-web-browser-sensitive-file-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-systemkey-access-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-unusual-execution-via-microsoft-common-console-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-webproxy-settings-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rules-8-12-12-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rules-8-12-12-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-iam-login-profile-added-to-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ec2-ami-shared-with-another-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-file-download-via-a-headless-browser.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-author.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-ransomware-note-file-dropped-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/route53-resolver-query-log-configuration-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-file-renamed-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-web-browser-sensitive-file-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-execution-via-microsoft-common-console-file.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-access-to-keychain-credentials-directories.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-access-to-keychain-credentials-directories.asciidoc new file mode 100644 index 0000000000..448ba3d98b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-access-to-keychain-credentials-directories.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-12-12-access-to-keychain-credentials-directories]] +=== Access to Keychain Credentials Directories + +Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x25.html +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Keychains/*", + "/Library/Keychains/*", + "/Network/Library/Keychains/*", + "System.keychain", + "login.keychain-db", + "login.keychain" + ) and + not process.args : ("find-certificate", + "add-trusted-cert", + "set-keychain-settings", + "delete-certificate", + "/Users/*/Library/Keychains/openvpn.keychain-db", + "show-keychain-info", + "lock-keychain", + "set-key-partition-list", + "import", + "find-identity") and + not process.parent.executable : + ( + "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect", + "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise", + "/opt/jc/bin/jumpcloud-agent" + ) and + not process.executable : ("/opt/jc/bin/jumpcloud-agent", "/usr/bin/basename") and + not process.Ext.effective_parent.executable : ("/opt/rapid7/ir_agent/ir_agent", + "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint", + "/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService", + "/usr/local/jamf/bin/jamf", + "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-adversary-behavior-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-adversary-behavior-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..31a21feb93 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-adversary-behavior-detected-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-12-12-adversary-behavior-detected-elastic-endgame]] +=== Adversary Behavior - Detected - Elastic Endgame + +Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc new file mode 100644 index 0000000000..d948de38c5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-12-12-alternate-data-stream-creation-execution-at-volume-root-directory]] +=== Alternate Data Stream Creation/Execution at Volume Root Directory + +Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and event.category in ("file", "process") and + ( + (event.type == "creation" and file.path regex~ """[A-Z]:\\:.+""") or + (event.type == "start" and process.executable regex~ """[A-Z]:\\:.+""") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-apple-scripting-execution-with-administrator-privileges.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-apple-scripting-execution-with-administrator-privileges.asciidoc new file mode 100644 index 0000000000..dadca19edf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-apple-scripting-execution-with-administrator-privileges.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-12-12-apple-scripting-execution-with-administrator-privileges]] +=== Apple Scripting Execution with Administrator Privileges + +Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://discussions.apple.com/thread/2266150 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*with administrator privileges" and + not process.parent.name : "Electron" and + not process.Ext.effective_parent.executable : ("/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "/Applications/OpenVPN Connect/Uninstall OpenVPN Connect.app/Contents/MacOS/uninstaller") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-authorization-plugin-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-authorization-plugin-modification.asciidoc new file mode 100644 index 0000000000..83b6b93336 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-authorization-plugin-modification.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-12-12-authorization-plugin-modification]] +=== Authorization Plugin Modification + +Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/documentation/security/authorization_plug-ins +* https://www.xorrior.com/persistent-credential-theft/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:deletion and + file.path:(/Library/Security/SecurityAgentPlugins/* and + not (/Library/Security/SecurityAgentPlugins/KandjiPassport.bundle/* or /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*)) and + not (process.name:shove and process.code_signature.trusted:true) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Authentication Package +** ID: T1547.002 +** Reference URL: https://attack.mitre.org/techniques/T1547/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc new file mode 100644 index 0000000000..890f2a59bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-12-12-aws-ec2-admin-credential-fetch-via-assumed-role]] +=== AWS EC2 Admin Credential Fetch via Assumed Role + +Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: Amazon EC2 +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Credential Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating AWS EC2 Admin Credential Fetch via Assumed Role* + + +This rule detects the first occurrence of a user identity using the `GetPasswordData` API call in AWS, which retrieves the administrator password of an EC2 instance. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances. + +This is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call. + + +*Possible Investigation Steps* + + +- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user. +- **Review Request and Response Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields to understand the context of the API call and the retrieved password. +- **Contextualize with User Behavior**: Compare this activity against the user's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the user or role prior to and following the incident. +- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password was retrieved. Assess the criticality and sensitivity of the applications running on this instance. +- **Examine Related CloudTrail Events**: Search for other API calls made by the same user identity, especially those modifying security groups, network access controls, or instance metadata. +- **Check for Lateral Movement**: Look for evidence that the obtained credentials have been used to access other resources or services within AWS. +- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity. + + +*False Positive Analysis* + + +- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates. +- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes. + + +*Response and Remediation* + + +- **Immediate Isolation**: If suspicious, isolate the affected instance to prevent any potential lateral movement or further unauthorized actions. +- **Credential Rotation**: Rotate credentials of the affected instance or assumed role and any other potentially compromised credentials. +- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse. +- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances. +- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems. +- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`. + + +*Additional Information* + + +Refer to resources like https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc[AWS privilege escalation methods] and the MITRE ATT&CK technique https://attack.mitre.org/techniques/T1552/005/[T1552.005 - Cloud Instance Metadata API] for more details on potential vulnerabilities and mitigation strategies. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"aws.cloudtrail" + and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData" + and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Cloud Instance Metadata API +** ID: T1552.005 +** Reference URL: https://attack.mitre.org/techniques/T1552/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-component-object-model-hijacking.asciidoc new file mode 100644 index 0000000000..8eadc87e07 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-component-object-model-hijacking.asciidoc @@ -0,0 +1,208 @@ +[[prebuilt-rule-8-12-12-component-object-model-hijacking]] +=== Component Object Model Hijacking + +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.registry-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 113 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Component Object Model Hijacking* + + +Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file referenced in the registry and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY" and process.executable != null and + ( + ( + registry.path : "HK*\\InprocServer32\\" and + registry.data.strings: ("scrobj.dll", "?:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*" + ) or + + ( + registry.path : "HKLM\\*\\InProcServer32\\*" and + registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") + ) or + + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + ( + registry.path : ( + "HKEY_USERS\\*\\InprocServer32\\", + "HKEY_USERS\\*\\LocalServer32\\", + "HKEY_USERS\\*\\DelegateExecute", + "HKEY_USERS\\*\\TreatAs\\", + "HKEY_USERS\\*\\ScriptletURL*" + ) + ) + ) and + + not ( + process.code_signature.trusted == true and + process.code_signature.subject_name in + ("Island Technology Inc.", "Google LLC", "Grammarly, Inc.", "Dropbox, Inc", "REFINITIV US LLC", "HP Inc.", + "Citrix Systems, Inc.", "Adobe Inc.", "Veeam Software Group GmbH", "Zhuhai Kingsoft Office Software Co., Ltd.", + "Oracle America, Inc.") + ) and + + /* excludes Microsoft signed noisy processes */ + not + ( + process.name : ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe", "MicrosoftEdgeUpdate.exe", "msrdcw.exe", "MicrosoftEdgeUpdateComRegisterShell64.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") + ) and + + not process.executable : + ("?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\regsvr32.exe", + "?:\\Windows\\System32\\regsvr32.exe", + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-connection-to-commonly-abused-web-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-connection-to-commonly-abused-web-services.asciidoc new file mode 100644 index 0000000000..c147fca9d3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-connection-to-commonly-abused-web-services.asciidoc @@ -0,0 +1,297 @@ +[[prebuilt-rule-8-12-12-connection-to-commonly-abused-web-services]] +=== Connection to Commonly Abused Web Services + +Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.network-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 113 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Connection to Commonly Abused Web Services* + + +Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. + +This rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html[Investigate Markdown Plugin] introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + - !{investigate{"label":"Alerts associated with the user in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} + - !{investigate{"label":"Alerts associated with the host in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.name","queryType":"phrase","value":"{{host.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} +- Verify whether the digital signature exists in the executable. +- Identify the operation type (upload, download, tunneling, etc.). +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - !{investigate{"label":"Investigate the Subject Process Network Events","providers":[[{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]]}} + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and network.protocol == "dns" and + process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + /* Add new WebSvc domains here */ + dns.question.name : + ( + "raw.githubusercontent.*", + "pastebin.*", + "paste4btc.com", + "paste.ee", + "ghostbin.com", + "drive.google.com", + "?.docs.live.net", + "api.dropboxapi.*", + "content.dropboxapi.*", + "dl.dropboxusercontent.*", + "api.onedrive.com", + "*.onedrive.org", + "onedrive.live.com", + "filebin.net", + "*.ngrok.io", + "ngrok.com", + "*.portmap.*", + "*serveo.net", + "*localtunnel.me", + "*pagekite.me", + "*localxpose.io", + "*notabug.org", + "rawcdn.githack.*", + "paste.nrecom.net", + "zerobin.net", + "controlc.com", + "requestbin.net", + "slack.com", + "api.slack.com", + "slack-redir.net", + "slack-files.com", + "cdn.discordapp.com", + "discordapp.com", + "discord.com", + "apis.azureedge.net", + "cdn.sql.gg", + "?.top4top.io", + "top4top.io", + "www.uplooder.net", + "*.cdnmegafiles.com", + "transfer.sh", + "gofile.io", + "updates.peer2profit.com", + "api.telegram.org", + "t.me", + "meacz.gq", + "rwrd.org", + "*.publicvm.com", + "*.blogspot.com", + "api.mylnikov.org", + "file.io", + "stackoverflow.com", + "*files.1drv.com", + "api.anonfile.com", + "*hosting-profi.de", + "ipbase.com", + "ipfs.io", + "*up.freeo*.space", + "api.mylnikov.org", + "script.google.com", + "script.googleusercontent.com", + "api.notion.com", + "graph.microsoft.com", + "*.sharepoint.com", + "mbasic.facebook.com", + "login.live.com", + "api.gofile.io", + "api.anonfiles.com", + "api.notion.com", + "api.trello.com", + "gist.githubusercontent.com", + "files.pythonhosted.org", + "g.live.com", + "*.zulipchat.com", + "webhook.site", + "run.mocky.io", + "mockbin.org") and + + /* Insert noisy false positives here */ + not ( + ( + process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe", + "?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe" + ) + ) or + + /* Discord App */ + (process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and + process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com") + ) or + + /* MS Sharepoint */ + (process.name : "Microsoft.SharePoint.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and + process.code_signature.trusted == true) and dns.question.name : "onedrive.live.com" + ) or + + /* Firefox */ + (process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and + process.code_signature.trusted == true) + ) or + + /* Dropbox */ + (process.name : "Dropbox.exe" and (process.code_signature.subject_name : "Dropbox, Inc" and + process.code_signature.trusted == true) and dns.question.name : ("api.dropboxapi.com", "*.dropboxusercontent.com") + ) or + + /* Obsidian - Plugins are stored on raw.githubusercontent.com */ + (process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and + process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com" + ) or + + /* WebExperienceHostApp */ + (process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and + process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com") + ) or + + (process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and + dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com", "login.live.com")) or + + (process.code_signature.trusted == true and + process.code_signature.subject_name : + ("Johannes Schindelin", + "Redis Inc.", + "Slack Technologies, LLC", + "Cisco Systems, Inc.", + "Dropbox, Inc", + "Amazon.com Services LLC")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ +* Sub-technique: +** Name: Exfiltration to Code Repository +** ID: T1567.001 +** Reference URL: https://attack.mitre.org/techniques/T1567/001/ +* Sub-technique: +** Name: Exfiltration to Cloud Storage +** ID: T1567.002 +** Reference URL: https://attack.mitre.org/techniques/T1567/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-container-workload-protection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-container-workload-protection.asciidoc new file mode 100644 index 0000000000..8e54de2625 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-container-workload-protection.asciidoc @@ -0,0 +1,60 @@ +[[prebuilt-rule-8-12-12-container-workload-protection]] +=== Container Workload Protection + +Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-cloud_defend.alerts-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Defend for Containers +* Domain: Container + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:cloud_defend + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-dumping-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-dumping-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..7d846dbb83 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-dumping-detected-elastic-endgame.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-12-12-credential-dumping-detected-elastic-endgame]] +=== Credential Dumping - Detected - Elastic Endgame + +Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-dumping-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-dumping-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..b2696f67fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-dumping-prevented-elastic-endgame.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-12-12-credential-dumping-prevented-elastic-endgame]] +=== Credential Dumping - Prevented - Elastic Endgame + +Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-manipulation-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-manipulation-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..ce9998761a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-manipulation-detected-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-12-12-credential-manipulation-detected-elastic-endgame]] +=== Credential Manipulation - Detected - Elastic Endgame + +Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-manipulation-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-manipulation-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..b5a1130e31 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-credential-manipulation-prevented-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-12-12-credential-manipulation-prevented-elastic-endgame]] +=== Credential Manipulation - Prevented - Elastic Endgame + +Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ec2-ami-shared-with-another-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ec2-ami-shared-with-another-account.asciidoc new file mode 100644 index 0000000000..4c99914267 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ec2-ami-shared-with-another-account.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-12-12-ec2-ami-shared-with-another-account]] +=== EC2 AMI Shared with Another Account + +Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html +* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html +* https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Threat Detection +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating EC2 AMI Shared with Another Account* + + +This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control. + + +*Possible Investigation Steps* + + +- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared. +- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources. +- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments. +- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing. + + +*False Positive Analysis* + + +- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating. +- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior. + + +*Response and Remediation* + + +- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI. +- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. +- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access. +- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing. + + +*Additional Information* + + +For more information on managing and sharing AMIs, refer to the https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html[Amazon EC2 User Guide on AMIs] and https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html[Sharing AMIs]. Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/[here]. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" + and event.action: ModifyImageAttribute and event.outcome: success + and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-endpoint-security.asciidoc new file mode 100644 index 0000000000..fef1b09069 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-endpoint-security.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-12-12-endpoint-security]] +=== Endpoint Security + +Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Defend + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:(endpoint and not endgame) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-enumeration-of-users-or-groups-via-built-in-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-enumeration-of-users-or-groups-via-built-in-commands.asciidoc new file mode 100644 index 0000000000..5be7655c81 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-enumeration-of-users-or-groups-via-built-in-commands.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-8-12-12-enumeration-of-users-or-groups-via-built-in-commands]] +=== Enumeration of Users or Groups via Built-in Commands + +Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + process.name : ("ldapsearch", "dsmemberutil") or + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + ) and + ((process.Ext.effective_parent.executable : ("/Volumes/*", "/Applications/*") or process.parent.executable : ("/Volumes/*", "/Applications/*")) or + (process.Ext.effective_parent.name : ".*" or process.parent.name : ".*")) and + not process.Ext.effective_parent.executable : ("/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent", + "/Applications/Kaspersky Anti-Virus For Mac.app/Contents/MacOS/kavd.app/Contents/MacOS/kavd", + "/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_ctl", + "/Applications/NordVPN.app/Contents/MacOS/NordVPN", + "/Applications/Xcode.app/Contents/MacOS/Xcode", + "/Applications/ESET Endpoint Security.app/Contents/Helpers/Uninstaller.app/Contents/MacOS/Uninstaller", + "/Applications/Parallels Desktop.app/Contents/MacOS/prl_client_app", + "/Applications/Zscaler/Zscaler.app/Contents/MacOS/Zscaler", + "/Applications/com.avast.av.uninstaller.app/Contents/MacOS/com.avast.av.uninstaller", + "/Applications/NoMAD.app/Contents/MacOS/NoMAD", + "/Applications/ESET Management Agent.app/Contents/MacOS/ERAAgent") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-exploit-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-exploit-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..fcb19a4ae7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-exploit-detected-elastic-endgame.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-12-12-exploit-detected-elastic-endgame]] +=== Exploit - Detected - Elastic Endgame + +Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-exploit-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-exploit-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..5097d816ff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-exploit-prevented-elastic-endgame.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-12-12-exploit-prevented-elastic-endgame]] +=== Exploit - Prevented - Elastic Endgame + +Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-external-alerts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-external-alerts.asciidoc new file mode 100644 index 0000000000..7651d06282 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-external-alerts.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-12-12-external-alerts]] +=== External Alerts + +Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + +*Rule type*: query + +*Rule indices*: + +* apm-*-transaction* +* traces-apm* +* auditbeat-* +* filebeat-* +* logs-* +* packetbeat-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* OS: Windows +* Data Source: APM +* OS: macOS +* OS: Linux + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-finder-sync-plugin-registered-and-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-finder-sync-plugin-registered-and-enabled.asciidoc new file mode 100644 index 0000000000..a57739d0bc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-finder-sync-plugin-registered-and-enabled.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-12-12-finder-sync-plugin-registered-and-enabled]] +=== Finder Sync Plugin Registered and Enabled + +Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and + process.args : "-e" and process.args : "use" and process.args : "-i" and + not process.args : + ( + "com.google.GoogleDrive.FinderSyncAPIExtension", + "com.google.drivefs.findersync", + "com.boxcryptor.osx.Rednif", + "com.adobe.accmac.ACCFinderSync", + "com.microsoft.OneDrive.FinderSync", + "com.insynchq.Insync.Insync-Finder-Integration", + "com.box.desktop.findersyncext" + ) and + not process.parent.executable : ("/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp", + "/Applications/Google Drive.app/Contents/MacOS/Google Drive") and + not process.Ext.effective_parent.executable : ("/Applications/Google Drive.app/Contents/MacOS/Google Drive", + "/usr/local/jamf/bin/jamf", + "/Applications/Nextcloud.app/Contents/MacOS/Nextcloud", + "/Library/Application Support/Checkpoint/Endpoint Security/AMFinderExtensions.app/Contents/MacOS/AMFinderExtensions", + "/Applications/pCloud Drive.app/Contents/MacOS/pCloud Drive") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-keychain-password-retrieval-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-keychain-password-retrieval-via-command-line.asciidoc new file mode 100644 index 0000000000..2badb581e2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-keychain-password-retrieval-via-command-line.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-12-12-keychain-password-retrieval-via-command-line]] +=== Keychain Password Retrieval via Command Line + +Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.netmeister.org/blog/keychain-passwords.html +* https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py +* https://ss64.com/osx/security.html +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.action == "exec" and + process.name : "security" and + process.args : ("-wa", "-ga") and process.args : ("find-generic-password", "find-internet-password") and + process.command_line : ("*Chrome*", "*Chromium*", "*Opera*", "*Safari*", "*Brave*", "*Microsoft Edge*", "*Firefox*") and + not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-macos-installer-package-spawns-network-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-macos-installer-package-spawns-network-event.asciidoc new file mode 100644 index 0000000000..5d28ad264e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-macos-installer-package-spawns-network-event.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-12-12-macos-installer-package-spawns-network-event]] +=== MacOS Installer Package Spawns Network Event + +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://redcanary.com/blog/clipping-silver-sparrows-wings +* https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 +* https://github.com/D00MFist/Mystikal + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=15s +[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] by process.entity_id +[network where host.os.type == "macos" and event.type == "start" and process.name : ("curl", "osascript", "wget", "python", "java", "ruby", "node")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-malware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-malware-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..55c3fdb59d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-malware-detected-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-12-12-malware-detected-elastic-endgame]] +=== Malware - Detected - Elastic Endgame + +Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-malware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-malware-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..631e09e362 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-malware-prevented-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-12-12-malware-prevented-elastic-endgame]] +=== Malware - Prevented - Elastic Endgame + +Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc new file mode 100644 index 0000000000..d0bd3418e6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-12-12-modification-of-environment-variable-via-unsigned-or-untrusted-parent]] +=== Modification of Environment Variable via Unsigned or Untrusted Parent + +Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name:launchctl and + (process.parent.code_signature.exists : false or process.parent.code_signature.trusted : false) and + process.args:(setenv and not (ANT_HOME or + DBUS_LAUNCHD_SESSION_BUS_SOCKET or + EDEN_ENV or + LG_WEBOS_TV_SDK_HOME or + RUNTIME_JAVA_HOME or + WEBOS_CLI_TV or + JAVA*_HOME) and + not *.vmoptions) and + not process.parent.executable:("/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper" or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /usr/local/bin/kr) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Path Interception by PATH Environment Variable +** ID: T1574.007 +** Reference URL: https://attack.mitre.org/techniques/T1574/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-permission-theft-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-permission-theft-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..4a3e58b015 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-permission-theft-detected-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-12-12-permission-theft-detected-elastic-endgame]] +=== Permission Theft - Detected - Elastic Endgame + +Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-permission-theft-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-permission-theft-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..277679b12d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-permission-theft-prevented-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-12-12-permission-theft-prevented-elastic-endgame]] +=== Permission Theft - Prevented - Elastic Endgame + +Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-persistence-via-docker-shortcut-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-persistence-via-docker-shortcut-modification.asciidoc new file mode 100644 index 0000000000..3c759d34a8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-persistence-via-docker-shortcut-modification.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-12-12-persistence-via-docker-shortcut-modification]] +=== Persistence via Docker Shortcut Modification + +An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and event.action:modification and + file.path:/Users/*/Library/Preferences/com.apple.dock.plist and + not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) and + not process.executable:(/Library/Addigy/download-cache/* or "/Library/Kandji/Kandji Agent.app/Contents/MacOS/kandji-library-manager") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-persistence-via-folder-action-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-persistence-via-folder-action-script.asciidoc new file mode 100644 index 0000000000..dfde8d89b2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-persistence-via-folder-action-script.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-8-12-12-persistence-via-folder-action-script]] +=== Persistence via Folder Action Script + +Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and + process.parent.name == "com.apple.foundation.UserScriptService" and not process.args : ("/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt", "/Users/*/Library/Application Scripts/com.microsoft.*/FoxitUtils.applescript") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-admin-group-account-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-admin-group-account-addition.asciidoc new file mode 100644 index 0000000000..983fe468ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-admin-group-account-addition.asciidoc @@ -0,0 +1,107 @@ +[[prebuilt-rule-8-12-12-potential-admin-group-account-addition]] +=== Potential Admin Group Account Addition + +Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin" or admin) and ("-a" or "-append")) and + not process.Ext.effective_parent.executable : ("/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon" or + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService" or + "/opt/jc/bin/jumpcloud-agent" or + "/Library/Addigy/go-agent") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-file-download-via-a-headless-browser.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-file-download-via-a-headless-browser.asciidoc new file mode 100644 index 0000000000..0af40dbcf4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-file-download-via-a-headless-browser.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-8-12-12-potential-file-download-via-a-headless-browser]] +=== Potential File Download via a Headless Browser + +Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Msedge/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Windows +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential File Download via a Headless Browser* + + +- Investigate the process execution chain (parent process tree). +- Investigate the process network and file events. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe") and + (process.args : "--headless*" or process.args : "data:text/html;base64,*") and + process.parent.name : + ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "conhost.exe", "msiexec.exe", + "explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe", + "pcalua.exe", "wmiprvse.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-persistence-via-login-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-persistence-via-login-hook.asciidoc new file mode 100644 index 0000000000..bca565a7ad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-persistence-via-login-hook.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-12-12-potential-persistence-via-login-hook]] +=== Potential Persistence via Login Hook + +Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system. + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:"deletion" and + file.name:"com.apple.loginwindow.plist" and + not process.name: (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor" or storagekitd or CloneKitService) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Plist File Modification +** ID: T1647 +** Reference URL: https://attack.mitre.org/techniques/T1647/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-powershell-hacktool-script-by-author.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-powershell-hacktool-script-by-author.asciidoc new file mode 100644 index 0000000000..e59240c5ac --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-powershell-hacktool-script-by-author.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-12-12-potential-powershell-hacktool-script-by-author]] +=== Potential PowerShell HackTool Script by Author + +Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.powershell* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: PowerShell Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and + powershell.file.script_block_text : ( + "mattifestation" or "JosephBialek" or + "harmj0y" or "ukstufus" or + "SecureThisShit" or "Matthew Graeber" or + "secabstraction" or "mgeeky" or + "oddvarmoe" or "am0nsec" or + "obscuresec" or "sixdub" or + "darkoperator" or "funoverip" or + "rvrsh3ll" or "kevin_robertson" or + "dafthack" or "r4wd3r" or + "danielhbohannon" or "OneLogicalMyth" or + "cobbr_io" or "xorrior" or + "PetrMedonos" or "citronneur" or + "eladshamir" or "RastaMouse" or + "enigma0x3" or "FuzzySec" or + "424f424f" or "jaredhaight" or + "fullmetalcache" or "Hubbl3" or + "curi0usJack" or "Cx01N" or + "itm4n" or "nurfed1" or + "cfalta" or "Scott Sutherland" or + "_nullbind" or "_tmenochet" or + "Boe Prox" or "jaredcatkinson" or + "ChrisTruncer" or "monoxgas" or + "TheRealWover" or "splinter_code" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc new file mode 100644 index 0000000000..bf94bb4693 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-12-12-potential-ransomware-behavior-high-count-of-readme-files-by-system]] +=== Potential Ransomware Behavior - High count of Readme files by System + +This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.file-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-1m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Possible investigation steps* + + +- Investigate the content of the readme files. +- Investigate any file names with unusual extensions. +- Investigate any incoming network connection to port 445 on this host. +- Investigate any network logon events to this host. +- Identify the total number and type of modified files by pid 4. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Local file modification from a Kernel mode driver. + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5 +- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and + file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-ransomware-note-file-dropped-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-ransomware-note-file-dropped-via-smb.asciidoc new file mode 100644 index 0000000000..dddd25224b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-potential-ransomware-note-file-dropped-via-smb.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-12-12-potential-ransomware-note-file-dropped-via-smb]] +=== Potential Ransomware Note File Dropped via SMB + +Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events. + + +*Possible investigation steps* + + +- Investigate the source.ip address connecting to port 445 on this host. +- Identify the user account that performed the file creation via SMB. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Remote file creation with similar file naming convention via SMB. + + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "windows" and + event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and + source.ip != "127.0.0.1" and source.ip != "::1"] + [file where host.os.type == "windows" and event.action == "creation" and + process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and file.extension : ("hta", "txt", "readme", "htm*") and + /* ransom file name keywords */ + file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-process-injection-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-process-injection-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..66933a5584 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-process-injection-detected-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-12-12-process-injection-detected-elastic-endgame]] +=== Process Injection - Detected - Elastic Endgame + +Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-process-injection-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-process-injection-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..098c9d29dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-process-injection-prevented-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-12-12-process-injection-prevented-elastic-endgame]] +=== Process Injection - Prevented - Elastic Endgame + +Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-prompt-for-credentials-with-osascript.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-prompt-for-credentials-with-osascript.asciidoc new file mode 100644 index 0000000000..ba90bbd9a9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-prompt-for-credentials-with-osascript.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-12-12-prompt-for-credentials-with-osascript]] +=== Prompt for Credentials with OSASCRIPT + +Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py +* https://ss64.com/osx/osascript.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "exec" and + process.name : "osascript" and process.args : "-e" and process.command_line : ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*") and + not (process.parent.executable : "/usr/bin/sudo" and process.command_line : "*Encryption Key Escrow*") and + not (process.command_line : "*-e with timeout of 3600 seconds*" and user.id == "0" and process.parent.executable : "/bin/bash") and + not process.Ext.effective_parent.executable : ("/usr/local/jamf/*", + "/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements", + "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: GUI Input Capture +** ID: T1056.002 +** Reference URL: https://attack.mitre.org/techniques/T1056/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc new file mode 100644 index 0000000000..c90b38f87d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-12-12-quarantine-attrib-removed-by-unsigned-or-untrusted-process]] +=== Quarantine Attrib Removed by Unsigned or Untrusted Process + +Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://nixhacker.com/security-protection-in-macos-1/ +* https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action == "extended_attributes_delete" and process.executable != null and +(process.code_signature.trusted == false or process.code_signature.exists == false) and not +process.executable : ("/usr/bin/xattr", + "/System/*", + "/private/tmp/KSInstallAction.*/*/Install Google Software Update.app/Contents/Helpers/ksinstall", + "/Applications/CEWE Fotoschau.app/Contents/MacOS/FotoPlus", + "/Applications/.com.bomgar.scc.*/Remote Support Customer Client.app/Contents/MacOS/sdcust") and not +file.path : "/private/var/folders/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ransomware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ransomware-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..9b74bd7f6b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ransomware-detected-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-12-12-ransomware-detected-elastic-endgame]] +=== Ransomware - Detected - Elastic Endgame + +Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ransomware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ransomware-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..bad9934d39 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-ransomware-prevented-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-12-12-ransomware-prevented-elastic-endgame]] +=== Ransomware - Prevented - Elastic Endgame + +Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-route53-resolver-query-log-configuration-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-route53-resolver-query-log-configuration-deleted.asciidoc new file mode 100644 index 0000000000..c7fd8f1450 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-route53-resolver-query-log-configuration-deleted.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-12-12-route53-resolver-query-log-configuration-deleted]] +=== Route53 Resolver Query Log Configuration Deleted + +Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: Amazon Route53 +* Use Case: Log Auditing +* Resources: Investigation Guide +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating Route53 Resolver Query Log Configuration Deleted* + + +This rule detects when a Route53 Resolver Query Log Configuration is deleted. Deleting these configurations stops the logging of DNS queries and responses, which can significantly impede network monitoring and compromise security visibility. Adversaries may delete these configurations to evade detection, remove evidence, or obscure their activities within a network. + +Adversaries target Route53 Resolver query log configurations because these logs can contain evidence of malicious domain queries or responses. By deleting these logs, an adversary can prevent the capture of information that could reveal unauthorized network activities, aiding in avoiding detection and thwarting incident response efforts. + + +*Possible Investigation Steps* + + +- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated. + - Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion. +- **Contextualize with User Actions**: Assess whether the deletion aligns with the user’s role and job responsibilities. + - Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign. +- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations. + - Investigate any recent permission changes that might indicate role abuse or credentials compromise. +- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion. + - This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems. +- **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action. + + +*False Positive Analysis* + + +- **Legitimate Administrative Actions**: Confirm that the deletion was part of scheduled IT operations or network management activities, possibly linked to maintenance or infrastructure updates. Validate this action against change management records or through interviews with relevant personnel. + + +*Response and Remediation* + + +- **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries. +- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations. + - Adjust AWS IAM policies to reinforce security measures. +- **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions. +- **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities. + + +*Additional Information* + + +For detailed instructions on managing Route53 Resolver and securing its configurations, refer to the https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html[Amazon Route53 Resolver documentation]. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com + and event.action: DeleteResolverQueryLogConfig and event.outcome: success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Logs +** ID: T1562.008 +** Reference URL: https://attack.mitre.org/techniques/T1562/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-shell-execution-via-apple-scripting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-shell-execution-via-apple-scripting.asciidoc new file mode 100644 index 0000000000..affce6fe9a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-shell-execution-via-apple-scripting.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-12-12-shell-execution-via-apple-scripting]] +=== Shell Execution via Apple Scripting + +Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/technotes/tn2065/_index.html +* https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript" and process.args : "-e"] by process.entity_id + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : ("sh", "bash", "zsh") and process.args == "-c" and process.args : ("*curl*", "*pbcopy*", "*http*", "*chmod*")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-browser-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-browser-child-process.asciidoc new file mode 100644 index 0000000000..48d76dabcc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-browser-child-process.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-12-12-suspicious-browser-child-process]] +=== Suspicious Browser Child Process + +Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x43.html +* https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.parent.name : ("Google Chrome", "Google Chrome Helper*", "firefox", "Opera", "Safari", "com.apple.WebKit.WebContent", "Microsoft Edge") and + process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*", "osascript", "pwsh") and + process.command_line != null and + not process.command_line : "*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*" and + not process.args : + ( + "hw.model", + "IOPlatformExpertDevice", + "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh", + "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper (Renderer).app/Contents/MacOS/Google Chrome Helper (Renderer)", + "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container", + "--defaults-torrc", + "*Chrome.app", + "Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh", + "/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery", + "$DISPLAY", + "*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*", + "/opt/homebrew/*", + "/usr/local/*brew*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Drive-by Compromise +** ID: T1189 +** Reference URL: https://attack.mitre.org/techniques/T1189/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-file-renamed-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-file-renamed-via-smb.asciidoc new file mode 100644 index 0000000000..365ccd6725 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-file-renamed-via-smb.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-12-12-suspicious-file-renamed-via-smb]] +=== Suspicious File Renamed via SMB + +Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events. + + +*Possible investigation steps* + + +- Investigate the source.ip address connecting to port 445 on this host. +- Identify the user account that performed the file creation via SMB. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Remote file rename over SMB. + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "windows" and + event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and + source.ip != "127.0.0.1" and source.ip != "::1"] + [file where host.os.type == "windows" and + event.action == "rename" and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and + file.extension != null and file.Ext.entropy >= 6 and + file.Ext.original.name : ("*.jpg", "*.bmp", "*.png", "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.lnk") and + not file.extension : ("jpg", "bmp", "png", "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "*.lnk")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-macos-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-macos-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..011edeee9d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-macos-ms-office-child-process.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-12-12-suspicious-macos-ms-office-child-process]] +=== Suspicious macOS MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "exec" and + process.parent.name: ( + "Microsoft Word", + "Microsoft Outlook", + "Microsoft Excel", + "Microsoft PowerPoint", + "Microsoft OneNote" + ) and + process.name : ( + "curl", + "nscurl", + "bash", + "sh", + "osascript", + "python*", + "perl*", + "mktemp", + "chmod", + "php", + "nohup", + "openssl", + "plutil", + "PlistBuddy", + "xattr", + "mktemp", + "sqlite3", + "funzip", + "popen" + ) and + + // Filter FPs related to product version discovery and Office error reporting behavior + not process.args: + ( + "ProductVersion", + "hw.model", + "ioreg", + "ProductName", + "ProductUserVisibleVersion", + "ProductBuildVersion", + "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting", + "open -a Safari *", + "defaults read *", + "sysctl hw.model*", + "ioreg -d2 -c IOPlatformExpertDevice *", + "ps aux | grep 'ToDesk_Desktop' | grep -v grep", + "PIPE=\"$CFFIXED_USER_HOME/.zoteroIntegrationPipe*" + ) and + + not process.parent.executable : + ( + "/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service", + "/usr/local/Privacy-i/PISupervisor", + "/Library/Addigy/lan-cache", + "/Library/Elastic/Agent/*", + "/opt/jc/bin/jumpcloud-agent", + "/usr/sbin/networksetup" + ) and + not (process.name : "sh" and process.command_line : "*$CFFIXED_USER_HOME/.zoteroIntegrationPipe*") and + + not process.Ext.effective_parent.executable : ( + "/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service", + "/usr/local/Privacy-i/PISupervisor", + "/Library/Addigy/auditor", + "/Library/Elastic/Agent/*", + "/opt/jc/bin/jumpcloud-agent", + "/usr/sbin/networksetup" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-web-browser-sensitive-file-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-web-browser-sensitive-file-access.asciidoc new file mode 100644 index 0000000000..586e033b65 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-suspicious-web-browser-sensitive-file-access.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-12-12-suspicious-web-browser-sensitive-file-access]] +=== Suspicious Web Browser Sensitive File Access + +Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action == "open" and process.executable != null and + file.name : ("cookies.sqlite", + "key?.db", + "logins.json", + "Cookies", + "Cookies.binarycookies", + "Login Data") and + ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : "osascript") and + not process.code_signature.signing_id : "org.mozilla.firefox" and + not process.Ext.effective_parent.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-systemkey-access-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-systemkey-access-via-command-line.asciidoc new file mode 100644 index 0000000000..b2a1922421 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-systemkey-access-via-command-line.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-12-12-systemkey-access-via-command-line]] +=== SystemKey Access via Command Line + +Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.args:("/private/var/db/SystemKey" or "/var/db/SystemKey") and + not process.Ext.effective_parent.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-unusual-execution-via-microsoft-common-console-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-unusual-execution-via-microsoft-common-console-file.asciidoc new file mode 100644 index 0000000000..28cc1d42ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-unusual-execution-via-microsoft-common-console-file.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-12-12-unusual-execution-via-microsoft-common-console-file]] +=== Unusual Execution via Microsoft Common Console File + +Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.genians.co.kr/blog/threat_intelligence/facebook + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Initial Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Execution via Microsoft Common Console File* + + +- Investigate the source of the MSC file. +- Investigate the process execution chain (all spawned child processes and their descendants). +- Investigate the process and it's descendants network and file events. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. + + +*Response and remediation* + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and + not process.parent.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-webproxy-settings-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-webproxy-settings-modification.asciidoc new file mode 100644 index 0000000000..a7d4815448 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rule-8-12-12-webproxy-settings-modification.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-12-12-webproxy-settings-modification]] +=== WebProxy Settings Modification + +Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ +* https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and + not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or + "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or + "/usr/libexec/xpcproxy") and + not process.Ext.effective_parent.executable : ("/Applications/Proxyman.app/Contents/MacOS/Proxyman" or "/Applications/Incoggo.app/Contents/MacOS/Incoggo.app") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rules-8-12-12-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rules-8-12-12-appendix.asciidoc new file mode 100644 index 0000000000..93d3c37144 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rules-8-12-12-appendix.asciidoc @@ -0,0 +1,56 @@ +["appendix",role="exclude",id="prebuilt-rule-8-12-12-prebuilt-rules-8-12-12-appendix"] += Downloadable rule update v8.12.12 + +This section lists all updates associated with version 8.12.12 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-12-12-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc[] +include::prebuilt-rule-8-12-12-route53-resolver-query-log-configuration-deleted.asciidoc[] +include::prebuilt-rule-8-12-12-ec2-ami-shared-with-another-account.asciidoc[] +include::prebuilt-rule-8-12-12-potential-file-download-via-a-headless-browser.asciidoc[] +include::prebuilt-rule-8-12-12-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc[] +include::prebuilt-rule-8-12-12-unusual-execution-via-microsoft-common-console-file.asciidoc[] +include::prebuilt-rule-8-12-12-potential-powershell-hacktool-script-by-author.asciidoc[] +include::prebuilt-rule-8-12-12-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc[] +include::prebuilt-rule-8-12-12-suspicious-file-renamed-via-smb.asciidoc[] +include::prebuilt-rule-8-12-12-potential-ransomware-note-file-dropped-via-smb.asciidoc[] +include::prebuilt-rule-8-12-12-container-workload-protection.asciidoc[] +include::prebuilt-rule-8-12-12-endpoint-security.asciidoc[] +include::prebuilt-rule-8-12-12-access-to-keychain-credentials-directories.asciidoc[] +include::prebuilt-rule-8-12-12-keychain-password-retrieval-via-command-line.asciidoc[] +include::prebuilt-rule-8-12-12-webproxy-settings-modification.asciidoc[] +include::prebuilt-rule-8-12-12-prompt-for-credentials-with-osascript.asciidoc[] +include::prebuilt-rule-8-12-12-suspicious-web-browser-sensitive-file-access.asciidoc[] +include::prebuilt-rule-8-12-12-systemkey-access-via-command-line.asciidoc[] +include::prebuilt-rule-8-12-12-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc[] +include::prebuilt-rule-8-12-12-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc[] +include::prebuilt-rule-8-12-12-enumeration-of-users-or-groups-via-built-in-commands.asciidoc[] +include::prebuilt-rule-8-12-12-suspicious-browser-child-process.asciidoc[] +include::prebuilt-rule-8-12-12-macos-installer-package-spawns-network-event.asciidoc[] +include::prebuilt-rule-8-12-12-shell-execution-via-apple-scripting.asciidoc[] +include::prebuilt-rule-8-12-12-suspicious-macos-ms-office-child-process.asciidoc[] +include::prebuilt-rule-8-12-12-authorization-plugin-modification.asciidoc[] +include::prebuilt-rule-8-12-12-persistence-via-docker-shortcut-modification.asciidoc[] +include::prebuilt-rule-8-12-12-finder-sync-plugin-registered-and-enabled.asciidoc[] +include::prebuilt-rule-8-12-12-persistence-via-folder-action-script.asciidoc[] +include::prebuilt-rule-8-12-12-potential-persistence-via-login-hook.asciidoc[] +include::prebuilt-rule-8-12-12-apple-scripting-execution-with-administrator-privileges.asciidoc[] +include::prebuilt-rule-8-12-12-potential-admin-group-account-addition.asciidoc[] +include::prebuilt-rule-8-12-12-credential-dumping-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-credential-dumping-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-adversary-behavior-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-malware-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-malware-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-ransomware-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-ransomware-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-exploit-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-exploit-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-external-alerts.asciidoc[] +include::prebuilt-rule-8-12-12-credential-manipulation-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-credential-manipulation-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-permission-theft-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-permission-theft-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-process-injection-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-process-injection-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-12-12-connection-to-commonly-abused-web-services.asciidoc[] +include::prebuilt-rule-8-12-12-component-object-model-hijacking.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rules-8-12-12-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rules-8-12-12-summary.asciidoc new file mode 100644 index 0000000000..d260bcc4a0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-12/prebuilt-rules-8-12-12-summary.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-12-12-prebuilt-rules-8-12-12-summary]] +[role="xpack"] +== Update v8.12.12 + +This section lists all updates associated with version 8.12.12 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. | new | 2 + +|<> | Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks. | new | 1 + +|<> | Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well. | new | 1 + +|<> | Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions. | new | 1 + +|<> | Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. | new | 1 + +|<> | Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands. | new | 1 + +|<> | Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises. | new | 1 + +|<> | This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period. | new | 1 + +|<> | Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. | new | 1 + +|<> | Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. | new | 1 + +|<> | Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts. | update | 4 + +|<> | Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. | update | 103 + +|<> | Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. | update | 207 + +|<> | Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. | update | 108 + +|<> | Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. | update | 206 + +|<> | Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. | update | 207 + +|<> | Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. | update | 207 + +|<> | Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials. | update | 206 + +|<> | Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. | update | 108 + +|<> | Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. | update | 206 + +|<> | Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. | update | 207 + +|<> | Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation. | update | 107 + +|<> | Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. | update | 107 + +|<> | Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. | update | 107 + +|<> | Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. | update | 206 + +|<> | Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. | update | 107 + +|<> | An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. | update | 107 + +|<> | Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. | update | 206 + +|<> | Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. | update | 107 + +|<> | Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. | update | 108 + +|<> | Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. | update | 207 + +|<> | Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity. | update | 206 + +|<> | Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 104 + +|<> | Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. | update | 103 + +|<> | Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. | update | 113 + +|<> | Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. | update | 113 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 4eba464a0f..0e9f882996 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -13,6 +13,10 @@ For previous rule updates, please navigate to the https://www.elastic.co/guide/e |Update version |Date | New rules | Updated rules | Notes +|<> | 15 May 2024 | 10 | 40 | +This release includes new rules for Windows and AWS integration and tuned rules for Windows and MacOS. New rules for Windows include detection for impact, execution, command and control and defense evasion. New rules for AWS include detection for persistence, defense evasion, exfiltration and credential access. Additionally, significant rule tuning for Windows and MacOS rules has been added for better rule efficacy and performance. + + |<> | 06 May 2024 | 0 | 0 | This version bump is a result of an out of band update. No rules require an update to this version. @@ -96,3 +100,4 @@ include::downloadable-packages/8-12-8/prebuilt-rules-8-12-8-summary.asciidoc[lev include::downloadable-packages/8-12-9/prebuilt-rules-8-12-9-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-12-10/prebuilt-rules-8-12-10-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-12-11/prebuilt-rules-8-12-11-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-12-12/prebuilt-rules-8-12-12-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index f9714f45bc..dcc93bad32 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -40,6 +40,8 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Impact] |8.9.0 |206 +|<> |Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: Amazon EC2], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |8.3.0 |2 + |<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Tactic: Impact] |8.9.0 |206 |<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Exfiltration], [Tactic: Collection] |8.9.0 |206 @@ -74,6 +76,8 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Tactic: Impact] |8.9.0 |206 +|<> |Identifies when an AWS IAM login profile is added to a user. Adversaries may add a login profile to an IAM user who typically does not have one and is used only for programmatic access. This can be used to maintain access to the account even if the original access key is rotated or disabled. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Use Case: Identity and Access Audit], [Tactic: Persistence], [Rule Type: BBR] |8.9.0 |1 + |<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Signin], [Use Case: Identity and Access Audit], [Tactic: Initial Access] |8.9.0 |206 |<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access], [Tactic: Persistence], [Resources: Investigation Guide] |8.9.0 |209 @@ -134,9 +138,7 @@ and their rule type is `machine_learning`. |<> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Domain: Endpoint], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Lateral Movement], [Tactic: Initial Access] |8.3.0 |104 -|<> |Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |107 - -|<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |107 +|<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.7.0 |207 |<> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |10 @@ -164,12 +166,14 @@ and their rule type is `machine_learning`. |<> |Detects writing executable files that will be automatically launched by Adobe on launch. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon] |8.3.0 |111 -|<> |Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |103 +|<> |Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |104 |<> |Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection. |[Use Case: Threat Detection], [Tactic: Defense Evasion] |8.3.0 |101 |<> |Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection. |[Use Case: Threat Detection], [Tactic: Defense Evasion] |8.3.0 |101 +|<> |Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Sysmon] |8.3.0 |1 + |<> |Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Resource Development] |8.3.0 |103 |<> |Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Persistence], [Resources: Investigation Guide] |8.3.0 |104 @@ -180,7 +184,7 @@ and their rule type is `machine_learning`. |<> |Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |106 -|<> |Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |107 +|<> |Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.11.0 |207 |<> |Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Configuration Audit], [Tactic: Persistence], [Resources: Investigation Guide] |8.4.0 |205 @@ -232,8 +236,6 @@ and their rule type is `machine_learning`. |<> |Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |107 -|<> |Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |107 - |<> |Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. |[Tactic: Persistence], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.10.0 |206 |<> |Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.10.0 |206 @@ -248,7 +250,7 @@ and their rule type is `machine_learning`. |<> |Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.10.0 |208 -|<> |Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |106 +|<> |Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |107 |<> |In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. |[Domain: Cloud], [Data Source: Azure], [Use Case: Identity and Access Audit], [Tactic: Persistence] |8.3.0 |102 @@ -352,7 +354,7 @@ and their rule type is `machine_learning`. |<> |Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon] |8.3.0 |110 -|<> |Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |112 +|<> |Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |113 |<> |Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |3 @@ -360,7 +362,7 @@ and their rule type is `machine_learning`. |<> |Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Data Source: Sysmon] |8.3.0 |107 -|<> |Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |112 +|<> |Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |113 |<> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |107 @@ -368,7 +370,7 @@ and their rule type is `machine_learning`. |<> |This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.8.0 |2 -|<> |Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts. |[Data Source: Elastic Defend for Containers], [Domain: Container] |8.8.0 |3 +|<> |Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts. |[Data Source: Elastic Defend for Containers], [Domain: Container] |8.8.0 |4 |<> |Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |111 @@ -396,13 +398,13 @@ and their rule type is `machine_learning`. |<> |Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |110 -|<> |Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |102 +|<> |Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |103 -|<> |Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |102 +|<> |Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |103 -|<> |Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |102 +|<> |Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |103 -|<> |Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |102 +|<> |Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |103 |<> |Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |9 @@ -448,6 +450,8 @@ and their rule type is `machine_learning`. |<> |Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Orbit], [Data Source: Elastic Defend] |8.3.0 |108 +|<> |Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Threat Detection], [Tactic: Exfiltration] |8.9.0 |1 + |<> |Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Auditd Manager] |8.5.0 |6 |<> |Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Auditd Manager] |8.5.0 |6 @@ -466,7 +470,7 @@ and their rule type is `machine_learning`. |<> |Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |111 -|<> |Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. |[Data Source: Elastic Defend] |8.3.0 |102 +|<> |Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. |[Data Source: Elastic Defend] |8.3.0 |103 |<> |Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |7 @@ -482,7 +486,7 @@ and their rule type is `machine_learning`. |<> |Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide] |8.12.0 |311 -|<> |Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |107 +|<> |Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.7.0 |207 |<> |Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.12.0 |108 @@ -524,13 +528,13 @@ and their rule type is `machine_learning`. |<> |Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |5 -|<> |Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation] |8.3.0 |102 +|<> |Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation] |8.3.0 |103 -|<> |Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation] |8.3.0 |102 +|<> |Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation] |8.3.0 |103 |<> |Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |111 -|<> |Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. |[OS: Windows], [Data Source: APM], [OS: macOS], [OS: Linux] |8.3.0 |102 +|<> |Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. |[OS: Windows], [Data Source: APM], [OS: macOS], [OS: Linux] |8.3.0 |103 |<> |Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |108 @@ -562,7 +566,7 @@ and their rule type is `machine_learning`. |<> |Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |3 -|<> |Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |106 +|<> |Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.11.0 |206 |<> |Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |8.8.0 |1 @@ -784,7 +788,7 @@ and their rule type is `machine_learning`. |<> |Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 -|<> |Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |107 +|<> |Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |108 |<> |Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Data Source: Sysmon] |8.3.0 |5 @@ -848,7 +852,7 @@ and their rule type is `machine_learning`. |<> |Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Sysmon] |8.3.0 |107 -|<> |Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |106 +|<> |Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |107 |<> |A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. |[Domain: Network], [Domain: Endpoint], [Data Source: Elastic Defend], [Use Case: Domain Generation Algorithm Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Command and Control] |8.9.0 |3 @@ -860,9 +864,9 @@ and their rule type is `machine_learning`. |<> |A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. |[OS: Windows], [Data Source: Elastic Endgame], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |4 -|<> |Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |102 +|<> |Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |103 -|<> |Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |102 +|<> |Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |103 |<> |This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |6 @@ -946,7 +950,7 @@ and their rule type is `machine_learning`. |<> |This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments. |[Data Source: Elastic Defend for Containers], [Domain: Container], [Tactic: Defense Evasion] |8.8.0 |1 -|<> |Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |106 +|<> |Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.11.0 |206 |<> |Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 @@ -1078,17 +1082,17 @@ and their rule type is `machine_learning`. |<> |Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 -|<> |Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |102 +|<> |Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |103 -|<> |Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |102 +|<> |Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |103 |<> |An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon] |8.3.0 |107 |<> |Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |106 -|<> |An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |106 +|<> |An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |107 -|<> |Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |106 +|<> |Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |107 |<