-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Detection Rules] Adding Documents for v8.8.12 Pre-Built Detection Ru…
…les (#4041) * Update latest docs * fixed broken links; added update description * fixed brokwn download prebuilt link * removed extra bracket in docs * updated broken links * removing script to fix links --------- Co-authored-by: terrancedejesus <[email protected]>
- Loading branch information
1 parent
9d49d23
commit 8347bdb
Showing
246 changed files
with
8,892 additions
and
631 deletions.
There are no files selected for viewing
105 changes: 105 additions & 0 deletions
105
...ble-packages/8-8-12/prebuilt-rule-8-8-12-abnormally-large-dns-response.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| [[prebuilt-rule-8-8-12-abnormally-large-dns-response]] | ||
| === Abnormally Large DNS Response | ||
|
|
||
| Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. | ||
|
|
||
| *Rule type*: query | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * packetbeat-* | ||
| * filebeat-* | ||
| * logs-network_traffic.* | ||
|
|
||
| *Severity*: medium | ||
|
|
||
| *Risk score*: 47 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ | ||
| * https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ | ||
| * https://github.com/maxpl0it/CVE-2020-1350-DoS | ||
| * https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Use Case: Threat Detection | ||
| * Tactic: Lateral Movement | ||
| * Resources: Investigation Guide | ||
| * Use Case: Vulnerability | ||
|
|
||
| *Version*: 105 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Investigation guide | ||
|
|
||
|
|
||
| [source, markdown] | ||
| ---------------------------------- | ||
| ## Triage and analysis | ||
| ### Investigating Abnormally Large DNS Response | ||
| Detection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020. | ||
| #### Possible investigation steps | ||
| - This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment. | ||
| - Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts. | ||
| - Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. | ||
| - Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning. | ||
| - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment. | ||
| #### False positive analysis | ||
| - Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes. | ||
| - This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host. | ||
| ### Related rules | ||
| - Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45 | ||
| - Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9 | ||
| ### Response and remediation | ||
| - Initiate the incident response process based on the outcome of the triage. | ||
| - Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied. | ||
| - Maintain backups of your critical systems to aid in quick recovery. | ||
| - Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities. | ||
| - If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior. | ||
| ---------------------------------- | ||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| (event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and | ||
| (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000 | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Lateral Movement | ||
| ** ID: TA0008 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0008/ | ||
| * Technique: | ||
| ** Name: Exploitation of Remote Services | ||
| ** ID: T1210 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1210/ |
78 changes: 78 additions & 0 deletions
78
...es/8-8-12/prebuilt-rule-8-8-12-accepted-default-telnet-port-connection.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| [[prebuilt-rule-8-8-12-accepted-default-telnet-port-connection]] | ||
| === Accepted Default Telnet Port Connection | ||
|
|
||
| This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. | ||
|
|
||
| *Rule type*: query | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * packetbeat-* | ||
| * auditbeat-* | ||
| * filebeat-* | ||
| * logs-network_traffic.* | ||
|
|
||
| *Severity*: medium | ||
|
|
||
| *Risk score*: 47 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: None | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * Use Case: Threat Detection | ||
| * Tactic: Command and Control | ||
| * Tactic: Lateral Movement | ||
| * Tactic: Initial Access | ||
|
|
||
| *Version*: 104 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| (event.dataset:network_traffic.flow or event.category:(network or network_traffic)) | ||
| and event.type:connection and not event.action:( | ||
| flow_dropped or denied or deny or | ||
| flow_terminated or timeout or Reject or network_flow) | ||
| and destination.port:23 | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Command and Control | ||
| ** ID: TA0011 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0011/ | ||
| * Tactic: | ||
| ** Name: Lateral Movement | ||
| ** ID: TA0008 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0008/ | ||
| * Technique: | ||
| ** Name: Remote Services | ||
| ** ID: T1021 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1021/ | ||
| * Tactic: | ||
| ** Name: Initial Access | ||
| ** ID: TA0001 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0001/ | ||
| * Technique: | ||
| ** Name: Exploit Public-Facing Application | ||
| ** ID: T1190 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1190/ |
84 changes: 84 additions & 0 deletions
84
...s/8-8-12/prebuilt-rule-8-8-12-cobalt-strike-command-and-control-beacon.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,84 @@ | ||
| [[prebuilt-rule-8-8-12-cobalt-strike-command-and-control-beacon]] | ||
| === Cobalt Strike Command and Control Beacon | ||
|
|
||
| Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control. | ||
|
|
||
| *Rule type*: query | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * packetbeat-* | ||
| * auditbeat-* | ||
| * filebeat-* | ||
| * logs-network_traffic.* | ||
|
|
||
| *Severity*: high | ||
|
|
||
| *Risk score*: 73 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://blog.morphisec.com/fin7-attacks-restaurant-industry | ||
| * https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html | ||
| * https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Use Case: Threat Detection | ||
| * Tactic: Command and Control | ||
| * Domain: Endpoint | ||
|
|
||
| *Version*: 104 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Investigation guide | ||
|
|
||
|
|
||
| [source, markdown] | ||
| ---------------------------------- | ||
| ## Threat intel | ||
| This activity has been observed in FIN7 campaigns. | ||
| ---------------------------------- | ||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| ((event.category: (network or network_traffic) and type: (tls or http)) | ||
| or event.dataset: (network_traffic.tls or network_traffic.http) | ||
| ) and destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Command and Control | ||
| ** ID: TA0011 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0011/ | ||
| * Technique: | ||
| ** Name: Application Layer Protocol | ||
| ** ID: T1071 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1071/ | ||
| * Technique: | ||
| ** Name: Dynamic Resolution | ||
| ** ID: T1568 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1568/ | ||
| * Sub-technique: | ||
| ** Name: Domain Generation Algorithms | ||
| ** ID: T1568.002 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1568/002/ |
92 changes: 92 additions & 0 deletions
92
...8-12/prebuilt-rule-8-8-12-control-panel-process-with-unusual-arguments.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| [[prebuilt-rule-8-8-12-control-panel-process-with-unusual-arguments]] | ||
| === Control Panel Process with Unusual Arguments | ||
|
|
||
| Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. | ||
|
|
||
| *Rule type*: eql | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * logs-endpoint.events.* | ||
| * winlogbeat-* | ||
| * logs-windows.* | ||
| * endgame-* | ||
|
|
||
| *Severity*: high | ||
|
|
||
| *Risk score*: 73 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://www.joesandbox.com/analysis/476188/1/html | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: Windows | ||
| * Use Case: Threat Detection | ||
| * Tactic: Defense Evasion | ||
| * Tactic: Execution | ||
| * Data Source: Elastic Endgame | ||
| * Data Source: Elastic Defend | ||
|
|
||
| *Version*: 107 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Investigation guide | ||
|
|
||
|
|
||
| [source, markdown] | ||
| ---------------------------------- | ||
| ---------------------------------- | ||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| process where host.os.type == "windows" and event.type == "start" and | ||
| process.executable : ("?:\\Windows\\SysWOW64\\control.exe", "?:\\Windows\\System32\\control.exe") and | ||
| process.command_line : | ||
| ("*.jpg*", | ||
| "*.png*", | ||
| "*.gif*", | ||
| "*.bmp*", | ||
| "*.jpeg*", | ||
| "*.TIFF*", | ||
| "*.inf*", | ||
| "*.cpl:*/*", | ||
| "*../../..*", | ||
| "*/AppData/Local/*", | ||
| "*:\\Users\\Public\\*", | ||
| "*\\AppData\\Local\\*") | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Defense Evasion | ||
| ** ID: TA0005 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0005/ | ||
| * Technique: | ||
| ** Name: System Binary Proxy Execution | ||
| ** ID: T1218 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1218/ | ||
| * Sub-technique: | ||
| ** Name: Control Panel | ||
| ** ID: T1218.002 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1218/002/ |
Oops, something went wrong.