From ad8dcbc8dfdae62e7e0dc36e0d991adf07cc06bb Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Thu, 30 May 2024 18:27:56 +0200 Subject: [PATCH] [Detection Rules] Adding Documents for v8.11.17 Pre-Built Detection Rules (#5273) --- ...7-account-password-reset-remotely.asciidoc | 99 + ...-hidden-file-attribute-via-attrib.asciidoc | 151 ++ ...e-8-11-17-adfind-command-activity.asciidoc | 169 ++ ...-8-11-17-adobe-hijack-persistence.asciidoc | 157 ++ ...tempt-to-clear-kernel-ring-buffer.asciidoc | 114 + ...credential-fetch-via-assumed-role.asciidoc | 123 + ...ion-lifecycle-configuration-added.asciidoc | 128 + ...ule-8-11-17-chkconfig-service-add.asciidoc | 202 ++ ...dification-through-built-in-tools.asciidoc | 135 ++ ...icy-modification-through-registry.asciidoc | 146 ++ ...f-domain-backup-dpapi-private-key.asciidoc | 101 + ...ged-by-previously-unknown-process.asciidoc | 230 ++ ...-11-17-delayed-execution-via-ping.asciidoc | 148 ++ ...ting-backup-catalogs-with-wbadmin.asciidoc | 140 ++ ...control-via-registry-modification.asciidoc | 182 ++ ...s-over-https-enabled-via-registry.asciidoc | 91 + ...-rule-8-11-17-dynamic-linker-copy.asciidoc | 192 ++ ...2-ami-shared-with-another-account.asciidoc | 117 + ...executable-stored-in-the-registry.asciidoc | 71 + ...ncrypting-files-with-winrar-or-7z.asciidoc | 153 ++ ...ing-domain-trusts-via-dsquery-exe.asciidoc | 121 + ...ting-domain-trusts-via-nltest-exe.asciidoc | 126 + ...tion-command-spawned-via-wmiprvse.asciidoc | 137 ++ ...le-masquerading-as-kernel-process.asciidoc | 110 + ...g-exchange-mailbox-via-powershell.asciidoc | 162 ++ ...value-accessed-in-secrets-manager.asciidoc | 132 ++ ...-17-first-time-seen-driver-loaded.asciidoc | 153 ++ ...protected-branch-settings-changed.asciidoc | 63 + ...ocess-arguments-in-an-rdp-session.asciidoc | 83 + ...high-mean-of-rdp-session-duration.asciidoc | 83 + ...-variance-in-rdp-session-duration.asciidoc | 83 + ...security-group-ingress-rule-added.asciidoc | 124 + ...-rule-8-11-17-kirbi-file-creation.asciidoc | 67 + ...count-tokenfilter-policy-disabled.asciidoc | 91 + ...uest-predicted-to-be-a-dga-domain.asciidoc | 103 + ...with-a-high-dga-probability-score.asciidoc | 103 + ...redicted-to-be-malicious-activity.asciidoc | 102 + ...-high-malicious-probability-score.asciidoc | 103 + ...using-a-known-sunburst-dns-domain.asciidoc | 103 + ...rosoft-windows-defender-tampering.asciidoc | 171 ++ ...mimikatz-memssp-log-file-detected.asciidoc | 140 ++ ...cation-of-amsienable-registry-key.asciidoc | 162 ++ ...ork-activity-detected-via-kworker.asciidoc | 124 + ...ted-by-previously-unknown-process.asciidoc | 220 ++ ...8-11-17-new-systemd-timer-created.asciidoc | 187 ++ ...tence-via-bits-job-notify-cmdline.asciidoc | 91 + ...ript-or-desktop-file-modification.asciidoc | 214 ++ ...stence-via-scheduled-job-creation.asciidoc | 98 + ...-17-port-forwarding-rule-addition.asciidoc | 151 ++ ...l-buffer-overflow-attack-detected.asciidoc | 86 + ...ty-to-an-unusual-destination-port.asciidoc | 83 + ...activity-to-an-unusual-ip-address.asciidoc | 83 + ...n-activity-to-an-unusual-iso-code.asciidoc | 83 + ...ion-activity-to-an-unusual-region.asciidoc | 83 + ...le-8-11-17-potential-dga-activity.asciidoc | 93 + ...ux-backdoor-user-account-creation.asciidoc | 168 ++ ...-potential-network-sweep-detected.asciidoc | 75 + ...rsistence-through-init-d-detected.asciidoc | 189 ++ ...rough-motd-file-creation-detected.asciidoc | 181 ++ ...ence-through-run-control-detected.asciidoc | 184 ++ ...h-count-of-readme-files-by-system.asciidoc | 125 + ...somware-note-file-dropped-via-smb.asciidoc | 136 ++ ...remote-desktop-tunneling-detected.asciidoc | 147 ++ ...potential-reverse-shell-via-child.asciidoc | 120 + ...e-8-11-17-potential-reverse-shell.asciidoc | 118 + ...17-potential-suspicious-file-edit.asciidoc | 112 + ...ell-script-block-logging-disabled.asciidoc | 135 ++ ...pt-for-credentials-with-osascript.asciidoc | 111 + ...-by-unsigned-or-untrusted-process.asciidoc | 110 + ...istry-persistence-via-appcert-dll.asciidoc | 103 + ...r-query-log-configuration-deleted.asciidoc | 122 + ...ol-spawned-via-script-interpreter.asciidoc | 172 ++ ...ged-by-previously-unknown-process.asciidoc | 185 ++ ...s-disabling-services-via-registry.asciidoc | 113 + ...to-an-external-device-via-airdrop.asciidoc | 82 + ...-bytes-sent-to-an-external-device.asciidoc | 82 + ...connections-made-from-a-source-ip.asciidoc | 83 + ...nections-made-to-a-destination-ip.asciidoc | 83 + ...er-of-processes-in-an-rdp-session.asciidoc | 83 + ...17-spike-in-remote-file-transfers.asciidoc | 83 + ...authorized-keys-file-modification.asciidoc | 103 + ...-file-modified-inside-a-container.asciidoc | 85 + ...m-session-started-to-ec2-instance.asciidoc | 123 + ...ing-activity-with-high-confidence.asciidoc | 96 + ...el-detected-c2-beaconing-activity.asciidoc | 97 + ...us-antimalware-scan-interface-dll.asciidoc | 144 ++ ...-endpoint-security-parent-process.asciidoc | 106 + ...e-creation-in-etc-for-persistence.asciidoc | 245 ++ ...picious-file-creation-via-kworker.asciidoc | 193 ++ ...7-suspicious-file-renamed-via-smb.asciidoc | 138 ++ ...ous-macos-ms-office-child-process.asciidoc | 168 ++ ...ft-365-mail-access-by-clientappid.asciidoc | 140 ++ ...spicious-ms-outlook-child-process.asciidoc | 181 ++ ...-by-previously-unknown-executable.asciidoc | 241 ++ ...rocess-spawned-from-motd-detected.asciidoc | 201 ++ ...creenconnect-client-child-process.asciidoc | 88 + ...rvice-was-installed-in-the-system.asciidoc | 134 ++ ...web-browser-sensitive-file-access.asciidoc | 115 + ...suspicious-werfault-child-process.asciidoc | 117 + ...1-17-suspicious-which-enumeration.asciidoc | 68 + ...process-cluster-spawned-by-a-host.asciidoc | 83 + ...uster-spawned-by-a-parent-process.asciidoc | 85 + ...process-cluster-spawned-by-a-user.asciidoc | 85 + ...-17-suspicious-zoom-child-process.asciidoc | 146 ++ ...-or-moved-to-suspicious-directory.asciidoc | 130 ++ ...-11-17-system-shells-via-services.asciidoc | 147 ++ ...started-by-unusual-parent-process.asciidoc | 217 ++ ...es-deleted-via-unexpected-process.asciidoc | 164 ++ ...ia-windows-directory-masquerading.asciidoc | 174 ++ ...a-windows-firewall-snap-in-hijack.asciidoc | 177 ++ ...ommon-registry-persistence-change.asciidoc | 142 ++ ...e-8-11-17-untrusted-driver-loaded.asciidoc | 144 ++ ...vity-from-a-windows-system-binary.asciidoc | 204 ++ ...nusual-parent-process-for-cmd-exe.asciidoc | 106 + ...nusual-process-for-a-windows-host.asciidoc | 133 ++ ...unusual-process-spawned-by-a-host.asciidoc | 85 + ...ocess-spawned-by-a-parent-process.asciidoc | 85 + ...unusual-process-spawned-by-a-user.asciidoc | 85 + ...riting-data-to-an-external-device.asciidoc | 82 + ...-17-unusual-remote-file-directory.asciidoc | 83 + ...-17-unusual-remote-file-extension.asciidoc | 83 + ...-8-11-17-unusual-remote-file-size.asciidoc | 83 + ...al-time-or-day-for-an-rdp-session.asciidoc | 83 + ...ess-child-of-common-web-processes.asciidoc | 192 ++ ...isabled-via-registry-modification.asciidoc | 170 ++ ...rpreter-executing-process-via-wmi.asciidoc | 114 + ...e-installed-via-an-unusual-client.asciidoc | 98 + .../prebuilt-rules-8-11-17-appendix.asciidoc | 133 ++ .../prebuilt-rules-8-11-17-summary.asciidoc | 266 +++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 2078 +++++++++-------- .../prebuilt-rules/rule-desc-index.asciidoc | 5 + .../account-password-reset-remotely.asciidoc | 3 +- ...-hidden-file-attribute-via-attrib.asciidoc | 18 +- .../adfind-command-activity.asciidoc | 10 +- .../adobe-hijack-persistence.asciidoc | 4 +- ...tempt-to-clear-kernel-ring-buffer.asciidoc | 18 +- ...e-user-data-from-aws-ec2-instance.asciidoc | 67 + ...credential-fetch-via-assumed-role.asciidoc | 3 +- ...s-iam-login-profile-added-to-user.asciidoc | 18 +- ...ion-lifecycle-configuration-added.asciidoc | 128 + .../chkconfig-service-add.asciidoc | 4 +- ...dification-through-built-in-tools.asciidoc | 6 +- ...icy-modification-through-registry.asciidoc | 14 +- ...f-domain-backup-dpapi-private-key.asciidoc | 4 +- ...ged-by-previously-unknown-process.asciidoc | 32 +- .../delayed-execution-via-ping.asciidoc | 32 +- ...ting-backup-catalogs-with-wbadmin.asciidoc | 10 +- ...control-via-registry-modification.asciidoc | 10 +- ...s-over-https-enabled-via-registry.asciidoc | 10 +- .../rule-details/dynamic-linker-copy.asciidoc | 6 +- ...2-ami-shared-with-another-account.asciidoc | 3 +- ...executable-stored-in-the-registry.asciidoc | 4 +- ...ncrypting-files-with-winrar-or-7z.asciidoc | 10 +- ...ing-domain-trusts-via-dsquery-exe.asciidoc | 10 +- ...ting-domain-trusts-via-nltest-exe.asciidoc | 10 +- ...tion-command-spawned-via-wmiprvse.asciidoc | 26 +- ...le-masquerading-as-kernel-process.asciidoc | 10 +- ...g-exchange-mailbox-via-powershell.asciidoc | 6 +- ...ed-or-archived-into-common-format.asciidoc | 18 +- ...value-accessed-in-secrets-manager.asciidoc | 4 +- .../first-time-seen-driver-loaded.asciidoc | 6 +- ...protected-branch-settings-changed.asciidoc | 4 +- ...ocess-arguments-in-an-rdp-session.asciidoc | 15 +- ...high-mean-of-rdp-session-duration.asciidoc | 15 +- ...-variance-in-rdp-session-duration.asciidoc | 15 +- ...security-group-ingress-rule-added.asciidoc | 124 + .../rule-details/kirbi-file-creation.asciidoc | 6 +- ...count-tokenfilter-policy-disabled.asciidoc | 7 +- ...uest-predicted-to-be-a-dga-domain.asciidoc | 35 +- ...with-a-high-dga-probability-score.asciidoc | 35 +- ...redicted-to-be-malicious-activity.asciidoc | 38 +- ...-high-malicious-probability-score.asciidoc | 38 +- ...using-a-known-sunburst-dns-domain.asciidoc | 35 +- ...rosoft-windows-defender-tampering.asciidoc | 10 +- ...mimikatz-memssp-log-file-detected.asciidoc | 4 +- ...cation-of-amsienable-registry-key.asciidoc | 10 +- ...ork-activity-detected-via-kworker.asciidoc | 10 +- ...ted-by-previously-unknown-process.asciidoc | 6 +- .../new-systemd-timer-created.asciidoc | 6 +- ...tence-via-bits-job-notify-cmdline.asciidoc | 4 +- ...ript-or-desktop-file-modification.asciidoc | 6 +- ...stence-via-scheduled-job-creation.asciidoc | 4 +- .../port-forwarding-rule-addition.asciidoc | 7 +- ...l-buffer-overflow-attack-detected.asciidoc | 4 +- ...ty-to-an-unusual-destination-port.asciidoc | 14 +- ...activity-to-an-unusual-ip-address.asciidoc | 14 +- ...n-activity-to-an-unusual-iso-code.asciidoc | 14 +- ...ion-activity-to-an-unusual-region.asciidoc | 14 +- .../potential-dga-activity.asciidoc | 35 +- ...ux-backdoor-user-account-creation.asciidoc | 4 +- .../potential-network-sweep-detected.asciidoc | 4 +- ...andard-port-http-https-connection.asciidoc | 10 +- ...rsistence-through-init-d-detected.asciidoc | 4 +- ...rough-motd-file-creation-detected.asciidoc | 4 +- ...ence-through-run-control-detected.asciidoc | 4 +- ...h-count-of-readme-files-by-system.asciidoc | 4 +- ...somware-note-file-dropped-via-smb.asciidoc | 10 +- ...remote-desktop-tunneling-detected.asciidoc | 4 +- ...potential-reverse-shell-via-child.asciidoc | 15 +- .../potential-reverse-shell.asciidoc | 15 +- .../potential-suspicious-file-edit.asciidoc | 20 +- ...ell-script-block-logging-disabled.asciidoc | 10 +- ...pt-for-credentials-with-osascript.asciidoc | 4 +- ...-by-unsigned-or-untrusted-process.asciidoc | 4 +- ...istry-persistence-via-appcert-dll.asciidoc | 7 +- ...r-query-log-configuration-deleted.asciidoc | 3 +- ...ol-spawned-via-script-interpreter.asciidoc | 10 +- ...ged-by-previously-unknown-process.asciidoc | 4 +- ...s-disabling-services-via-registry.asciidoc | 10 +- ...to-an-external-device-via-airdrop.asciidoc | 14 +- ...-bytes-sent-to-an-external-device.asciidoc | 14 +- ...connections-made-from-a-source-ip.asciidoc | 15 +- ...nections-made-to-a-destination-ip.asciidoc | 15 +- ...er-of-processes-in-an-rdp-session.asciidoc | 15 +- .../spike-in-remote-file-transfers.asciidoc | 14 +- ...authorized-keys-file-modification.asciidoc | 18 +- ...-file-modified-inside-a-container.asciidoc | 18 +- ...m-session-started-to-ec2-instance.asciidoc | 123 + ...ing-activity-with-high-confidence.asciidoc | 4 +- ...el-detected-c2-beaconing-activity.asciidoc | 4 +- ...us-antimalware-scan-interface-dll.asciidoc | 4 +- ...-endpoint-security-parent-process.asciidoc | 3 +- ...e-creation-in-etc-for-persistence.asciidoc | 22 +- ...picious-file-creation-via-kworker.asciidoc | 13 +- .../suspicious-file-renamed-via-smb.asciidoc | 10 +- ...ous-macos-ms-office-child-process.asciidoc | 4 +- ...ft-365-mail-access-by-clientappid.asciidoc | 73 +- ...spicious-ms-outlook-child-process.asciidoc | 4 +- ...-by-previously-unknown-executable.asciidoc | 10 +- ...rocess-spawned-from-motd-detected.asciidoc | 8 +- ...creenconnect-client-child-process.asciidoc | 6 +- ...rvice-was-installed-in-the-system.asciidoc | 6 +- ...web-browser-sensitive-file-access.asciidoc | 6 +- ...suspicious-werfault-child-process.asciidoc | 12 +- .../suspicious-which-enumeration.asciidoc | 4 +- ...process-cluster-spawned-by-a-host.asciidoc | 47 +- ...uster-spawned-by-a-parent-process.asciidoc | 47 +- ...process-cluster-spawned-by-a-user.asciidoc | 47 +- .../suspicious-zoom-child-process.asciidoc | 4 +- ...-or-moved-to-suspicious-directory.asciidoc | 10 +- .../system-shells-via-services.asciidoc | 4 +- ...started-by-unusual-parent-process.asciidoc | 217 ++ ...es-deleted-via-unexpected-process.asciidoc | 10 +- ...ia-windows-directory-masquerading.asciidoc | 18 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 18 +- ...ommon-registry-persistence-change.asciidoc | 18 +- ...igned-bits-service-client-process.asciidoc | 10 +- .../untrusted-driver-loaded.asciidoc | 6 +- ...vity-from-a-windows-system-binary.asciidoc | 18 +- ...nusual-parent-process-for-cmd-exe.asciidoc | 4 +- ...nusual-process-for-a-windows-host.asciidoc | 6 +- ...unusual-process-spawned-by-a-host.asciidoc | 47 +- ...ocess-spawned-by-a-parent-process.asciidoc | 47 +- ...unusual-process-spawned-by-a-user.asciidoc | 47 +- ...riting-data-to-an-external-device.asciidoc | 14 +- .../unusual-remote-file-directory.asciidoc | 14 +- .../unusual-remote-file-extension.asciidoc | 14 +- .../unusual-remote-file-size.asciidoc | 14 +- ...al-time-or-day-for-an-rdp-session.asciidoc | 15 +- ...ess-child-of-common-web-processes.asciidoc | 6 +- ...indows-account-or-group-discovery.asciidoc | 10 +- ...isabled-via-registry-modification.asciidoc | 10 +- ...rpreter-executing-process-via-wmi.asciidoc | 10 +- docs/index.asciidoc | 2 + 265 files changed, 18962 insertions(+), 2113 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-account-password-reset-remotely.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adding-hidden-file-attribute-via-attrib.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adfind-command-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adobe-hijack-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-attempt-to-clear-kernel-ring-buffer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-aws-s3-bucket-expiration-lifecycle-configuration-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-chkconfig-service-add.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-code-signing-policy-modification-through-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-code-signing-policy-modification-through-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-cron-job-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-delayed-execution-via-ping.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-deleting-backup-catalogs-with-wbadmin.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-disabling-user-account-control-via-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-dns-over-https-enabled-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-dynamic-linker-copy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ec2-ami-shared-with-another-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-encoded-executable-stored-in-the-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-encrypting-files-with-winrar-or-7z.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumerating-domain-trusts-via-dsquery-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumerating-domain-trusts-via-nltest-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumeration-command-spawned-via-wmiprvse.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-executable-masquerading-as-kernel-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-exporting-exchange-mailbox-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-first-time-seen-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-github-protected-branch-settings-changed.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-mean-of-process-arguments-in-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-mean-of-rdp-session-duration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-variance-in-rdp-session-duration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-insecure-aws-ec2-vpc-security-group-ingress-rule-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-kirbi-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-local-account-tokenfilter-policy-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-microsoft-windows-defender-tampering.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-mimikatz-memssp-log-file-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-modification-of-amsienable-registry-key.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-network-activity-detected-via-kworker.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-new-systemd-service-created-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-new-systemd-timer-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-bits-job-notify-cmdline.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-scheduled-job-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-port-forwarding-rule-addition.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-buffer-overflow-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-dga-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-linux-backdoor-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-network-sweep-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-init-d-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-motd-file-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-run-control-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-ransomware-note-file-dropped-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-remote-desktop-tunneling-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-reverse-shell-via-child.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-suspicious-file-edit.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-powershell-script-block-logging-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-prompt-for-credentials-with-osascript.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-registry-persistence-via-appcert-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-route53-resolver-query-log-configuration-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-service-control-spawned-via-script-interpreter.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-shared-object-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-solarwinds-process-disabling-services-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-connections-made-from-a-source-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-processes-in-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-remote-file-transfers.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssh-authorized-keys-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssh-authorized-keys-file-modified-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssm-session-started-to-ec2-instance.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-antimalware-scan-interface-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-endpoint-security-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-creation-in-etc-for-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-creation-via-kworker.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-renamed-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-macos-ms-office-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-ms-outlook-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-process-spawned-from-motd-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-screenconnect-client-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-service-was-installed-in-the-system.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-web-browser-sensitive-file-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-werfault-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-which-enumeration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-zoom-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-system-shells-via-services.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-systemd-service-started-by-unusual-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-third-party-backup-files-deleted-via-unexpected-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uncommon-registry-persistence-change.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-untrusted-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-network-activity-from-a-windows-system-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-parent-process-for-cmd-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-for-a-windows-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-writing-data-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-size.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-time-or-day-for-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-web-shell-detection-script-process-child-of-common-web-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-defender-disabled-via-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-script-interpreter-executing-process-via-wmi.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-service-installed-via-an-unusual-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rules-8-11-17-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rules-8-11-17-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-retrieve-user-data-from-aws-ec2-instance.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-expiration-lifecycle-configuration-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/insecure-aws-ec2-vpc-security-group-ingress-rule-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssm-session-started-to-ec2-instance.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/systemd-service-started-by-unusual-parent-process.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-account-password-reset-remotely.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-account-password-reset-remotely.asciidoc new file mode 100644 index 0000000000..84b06a6311 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-account-password-reset-remotely.asciidoc @@ -0,0 +1,99 @@ +[[prebuilt-rule-8-11-17-account-password-reset-remotely]] +=== Account Password Reset Remotely + +Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.security* +* logs-windows.forwarded* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724 +* https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Impact + +*Version*: 115 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Performance* + +This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name with maxspan=1m + [authentication where event.action == "logged-in" and + /* event 4624 need to be logged */ + winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and + source.ip != "127.0.0.1" and source.ip != "::1" and + not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")] by winlog.event_data.TargetLogonId + /* event 4724 need to be logged */ + [iam where event.action == "reset-password" and + ( + /* + This rule is very noisy if not scoped to privileged accounts, duplicate the + rule and add your own naming convention and accounts of interest here. + */ + winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or + winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500") + ) + ] by winlog.event_data.SubjectLogonId + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adding-hidden-file-attribute-via-attrib.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adding-hidden-file-attribute-via-attrib.asciidoc new file mode 100644 index 0000000000..032a12a498 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adding-hidden-file-attribute-via-attrib.asciidoc @@ -0,0 +1,151 @@ +[[prebuilt-rule-8-11-17-adding-hidden-file-attribute-via-attrib]] +=== Adding Hidden File Attribute via Attrib + +Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Adding Hidden File Attribute via Attrib* + + +The `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. + +Attackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it. + +This rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to identify the target file or folder. + - Examine the file, which process created it, header, etc. + - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Examine the host for derived artifacts that indicate suspicious activities: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "attrib.exe" or ?process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and + not (process.parent.name: "cmd.exe" and process.command_line: "attrib +R +H +S +A *.cui") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Windows File and Directory Permissions Modification +** ID: T1222.001 +** Reference URL: https://attack.mitre.org/techniques/T1222/001/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adfind-command-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adfind-command-activity.asciidoc new file mode 100644 index 0000000000..0991bf5dbb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adfind-command-activity.asciidoc @@ -0,0 +1,169 @@ +[[prebuilt-rule-8-11-17-adfind-command-activity]] +=== AdFind Command Activity + +This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://www.joeware.net/freetools/tools/adfind/ +* https://thedfirreport.com/2020/05/08/adfind-recon/ +* https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html +* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware +* https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html +* https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating AdFind Command Activity* + + +http://www.joeware.net/freetools/tools/adfind/[AdFind] is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many https://thedfirreport.com/category/adfind/[examples] of this tool being adopted by ransomware and criminal groups and used in compromises. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the command line to determine what information was retrieved by the tool. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling. + + +*Related rules* + + +- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1 +- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d +- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "AdFind.exe" or ?process.pe.original_file_name == "AdFind.exe") and + process.args : ("objectcategory=computer", "(objectcategory=computer)", + "objectcategory=person", "(objectcategory=person)", + "objectcategory=subnet", "(objectcategory=subnet)", + "objectcategory=group", "(objectcategory=group)", + "objectcategory=organizationalunit", "(objectcategory=organizationalunit)", + "objectcategory=attributeschema", "(objectcategory=attributeschema)", + "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Domain Groups +** ID: T1069.002 +** Reference URL: https://attack.mitre.org/techniques/T1069/002/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Domain Account +** ID: T1087.002 +** Reference URL: https://attack.mitre.org/techniques/T1087/002/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adobe-hijack-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adobe-hijack-persistence.asciidoc new file mode 100644 index 0000000000..c58747ee52 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-adobe-hijack-persistence.asciidoc @@ -0,0 +1,157 @@ +[[prebuilt-rule-8-11-17-adobe-hijack-persistence]] +=== Adobe Hijack Persistence + +Detects writing executable files that will be automatically launched by Adobe on launch. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/pabraeken/status/997997818362155008 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 213 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Adobe Hijack Persistence* + + +Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + file.path : ("?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", + "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and + not process.name : "msiexec.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Services File Permissions Weakness +** ID: T1574.010 +** Reference URL: https://attack.mitre.org/techniques/T1574/010/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-attempt-to-clear-kernel-ring-buffer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-attempt-to-clear-kernel-ring-buffer.asciidoc new file mode 100644 index 0000000000..ef626ca4c5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-attempt-to-clear-kernel-ring-buffer.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-11-17-attempt-to-clear-kernel-ring-buffer]] +=== Attempt to Clear Kernel Ring Buffer + +Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM). + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Auditd Manager + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "dmesg" and process.args == "-c" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Linux or Mac System Logs +** ID: T1070.002 +** Reference URL: https://attack.mitre.org/techniques/T1070/002/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc new file mode 100644 index 0000000000..355d312a64 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-11-17-aws-ec2-admin-credential-fetch-via-assumed-role]] +=== AWS EC2 Admin Credential Fetch via Assumed Role + +Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: Amazon EC2 +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Credential Access + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS EC2 Admin Credential Fetch via Assumed Role* + + +This rule detects the first occurrence of a user identity using the `GetPasswordData` API call in AWS, which retrieves the administrator password of an EC2 instance. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances. + +This is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call. + + +*Possible Investigation Steps* + + +- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user. +- **Review Request and Response Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields to understand the context of the API call and the retrieved password. +- **Contextualize with User Behavior**: Compare this activity against the user's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the user or role prior to and following the incident. +- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password was retrieved. Assess the criticality and sensitivity of the applications running on this instance. +- **Examine Related CloudTrail Events**: Search for other API calls made by the same user identity, especially those modifying security groups, network access controls, or instance metadata. +- **Check for Lateral Movement**: Look for evidence that the obtained credentials have been used to access other resources or services within AWS. +- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity. + + +*False Positive Analysis* + + +- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates. +- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes. + + +*Response and Remediation* + + +- **Immediate Isolation**: If suspicious, isolate the affected instance to prevent any potential lateral movement or further unauthorized actions. +- **Credential Rotation**: Rotate credentials of the affected instance or assumed role and any other potentially compromised credentials. +- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse. +- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances. +- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems. +- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`. + + +*Additional Information* + + +Refer to resources like https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc[AWS privilege escalation methods] and the MITRE ATT&CK technique https://attack.mitre.org/techniques/T1552/005/[T1552.005 - Cloud Instance Metadata API] for more details on potential vulnerabilities and mitigation strategies. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"aws.cloudtrail" + and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData" + and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Cloud Instance Metadata API +** ID: T1552.005 +** Reference URL: https://attack.mitre.org/techniques/T1552/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-aws-s3-bucket-expiration-lifecycle-configuration-added.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-aws-s3-bucket-expiration-lifecycle-configuration-added.asciidoc new file mode 100644 index 0000000000..fb411ee28b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-aws-s3-bucket-expiration-lifecycle-configuration-added.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-11-17-aws-s3-bucket-expiration-lifecycle-configuration-added]] +=== AWS S3 Bucket Expiration Lifecycle Configuration Added + +Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: Amazon S3 +* Use Case: Asset Visibility +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added* + + +This rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data. + + +*Detailed Investigation Steps* + + +- **Review the Affected S3 Bucket**: Check the bucket details (`bucketName`) where the lifecycle configuration has been added. + - Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy. +- **Analyze the Lifecycle Configuration**: + - **Expiration Policy**: Note the `Days` parameter under `Expiration` in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted. + - **Rule ID and Status**: Review the `ID` and `Status` of the lifecycle rule to understand its operational scope and activation status. +- **User Identity and Activity**: + - **User Details**: Investigate the user (`user_identity.arn`) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations. + - **Authentication Details**: Examine the authentication method and whether the access key used (`access_key_id`) is routinely used for such configurations or if it has deviated from normal usage patterns. +- **Source IP and User Agent**: + - **Source IP Address**: The IP address (`source.ip`) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user’s known locations. + - **User Agent**: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes. + + +*Possible Indicators of Compromise or Misuse* + + +- **Frequent Changes**: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically. +- **Unusual User Activity**: Activities that do not correlate with the user's typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation. + + +*False Positive Analysis* + + +- Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons. + + +*Response and Remediation* + + +- **Immediate Review**: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss. +- **Enhance Monitoring**: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments. +- **User Education**: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security. + + +*Additional Information* + + +For further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html[S3 Lifecycle Configuration]. + + +==== Setup + + +This rule requires S3 data events to be logged to CloudTrail. CloudTrail trails can be configured to log S3 data events in the AWS Management Console or using the AWS CLI. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" and event.provider: "s3.amazonaws.com" and + event.action: PutBucketLifecycle and event.outcome: success and + aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-chkconfig-service-add.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-chkconfig-service-add.asciidoc new file mode 100644 index 0000000000..dca88a3902 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-chkconfig-service-add.asciidoc @@ -0,0 +1,202 @@ +[[prebuilt-rule-8-11-17-chkconfig-service-add]] +=== Chkconfig Service Add + +Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Lightning Framework +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Chkconfig Service Add* + +Service files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. + +Malicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +This rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the service that was created or modified. +- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`. +- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. +- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents. +- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\n'/etc/rc%.d/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c +- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or + (process.args : "*chkconfig" and process.args : "--add") +) and +not process.parent.name in ("rpm", "qualys-scan-util", "qualys-cloud-agent", "update-alternatives") and +not process.parent.args : ("/var/tmp/rpm*", "/var/lib/waagent/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-code-signing-policy-modification-through-built-in-tools.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-code-signing-policy-modification-through-built-in-tools.asciidoc new file mode 100644 index 0000000000..ebae0f75f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-code-signing-policy-modification-through-built-in-tools.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-11-17-code-signing-policy-modification-through-built-in-tools]] +=== Code Signing Policy Modification Through Built-in tools + +Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Code Signing Policy Modification Through Built-in tools* + + +Windows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded. + +This protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system. + +This rule identifies commands that can disable the Driver Signature Enforcement feature. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Use Osquery and endpoint driver events (`event.category = "driver"`) to investigate if suspicious drivers were loaded into the system after the command was executed. + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} +- Identify the driver's `Device Name` and `Service Name`. +- Check for alerts from the rules specified in the `Related Rules` section. + + +*False positive analysis* + + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + + +*Related Rules* + + +- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9 +- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa +- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.) +- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed. + - This can be done via PowerShell `Remove-Service` cmdlet. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Remove and block malicious artifacts identified during triage. +- Ensure that the Driver Signature Enforcement is enabled on the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name: "bcdedit.exe" or ?process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and + process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Code Signing Policy Modification +** ID: T1553.006 +** Reference URL: https://attack.mitre.org/techniques/T1553/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-code-signing-policy-modification-through-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-code-signing-policy-modification-through-registry.asciidoc new file mode 100644 index 0000000000..5097207a40 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-code-signing-policy-modification-through-registry.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-11-17-code-signing-policy-modification-through-registry]] +=== Code Signing Policy Modification Through Registry + +Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Code Signing Policy Modification Through Registry* + + +Microsoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. + +This protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security. + +This rule identifies registry modifications that can disable DSE. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Use Osquery and endpoint driver events (`event.category = "driver"`) to investigate if suspicious drivers were loaded into the system after the registry was modified. + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} +- Identify the driver's `Device Name` and `Service Name`. +- Check for alerts from the rules specified in the `Related Rules` section. + + +*False positive analysis* + + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + + +*Related Rules* + + +- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9 +- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa +- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.) +- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed. + - This can be done via PowerShell `Remove-Service` cmdlet. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Remove and block malicious artifacts identified during triage. +- Ensure that the Driver Signature Enforcement is enabled on the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type : ("creation", "change") and +( + registry.path : ( + "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify", + "HKU\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify", + "\\REGISTRY\\USER\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" + ) and + registry.value: "BehaviorOnFailedVerify" and + registry.data.strings : ("0", "0x00000000", "1", "0x00000001") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Code Signing Policy Modification +** ID: T1553.006 +** Reference URL: https://attack.mitre.org/techniques/T1553/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc new file mode 100644 index 0000000000..ee314c3431 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-11-17-creation-or-modification-of-domain-backup-dpapi-private-key]] +=== Creation or Modification of Domain Backup DPAPI private key + +Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/ +* https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 210 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys. + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Private Keys +** ID: T1552.004 +** Reference URL: https://attack.mitre.org/techniques/T1552/004/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-cron-job-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-cron-job-created-or-changed-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..fbc4bb3bd6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-cron-job-created-or-changed-by-previously-unknown-process.asciidoc @@ -0,0 +1,230 @@ +[[prebuilt-rule-8-11-17-cron-job-created-or-changed-by-previously-unknown-process]] +=== Cron Job Created or Changed by Previously Unknown Process + +Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Cron Job Created or Changed by Previously Unknown Process* + +Linux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. + +By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. + +This rule monitors the creation of previously unknown cron jobs by monitoring for file creation events in the most common cron job task location directories. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the cron job file that was created or modified. +- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE\n'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE\n'/etc/cron.monthly/%' )\n"}} + - !{osquery{"label":"Osquery - Retrieve rc-local.service File Information","query":"SELECT * FROM file WHERE ( path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab' OR path =\n'/usr/sbin/cron' OR path = '/usr/sbin/anacron' )\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\npath LIKE '/etc/cron.monthly/%' )\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c +- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.action : ( + change or file_modify_event or creation or file_create_event or rename or file_rename_event +) and file.path : ( + /etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or /etc/cron.weekly/* or + /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron or /var/spool/cron/crontabs/* +) and not ( + (process.name : ( + dpkg or dockerd or rpm or snapd or yum or exe or dnf or podman or dnf-automatic or puppet or autossl_check) + ) or + (file.extension : (swp or swpx)) or + (process.name : sed and file.name : sed*) or + (process.name : perl and file.name : e2scrub_all.tmp*) or + (process.executable : /var/lib/dpkg*) or + (file.path:/var/spool/cron/crontabs/tmp.*) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-delayed-execution-via-ping.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-delayed-execution-via-ping.asciidoc new file mode 100644 index 0000000000..b9f8506e9f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-delayed-execution-via-ping.asciidoc @@ -0,0 +1,148 @@ +[[prebuilt-rule-8-11-17-delayed-execution-via-ping]] +=== Delayed Execution via Ping + +Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.parent.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and + process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"] + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : "cmd.exe" and + ( + process.name : ( + "rundll32.exe", "powershell.exe", + "mshta.exe", "msbuild.exe", + "certutil.exe", "regsvr32.exe", + "powershell.exe", "cscript.exe", + "wscript.exe", "wmic.exe", + "installutil.exe", "msxsl.exe", + "Microsoft.Workflow.Compiler.exe", + "ieexec.exe", "iexpress.exe", + "RegAsm.exe", "installutil.exe", + "RegSvcs.exe", "RegAsm.exe" + ) or + (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true) + ) and + + not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and + not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and + not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and + not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and + not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and + not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and + not (process.name : "wscript.exe" and + process.working_directory : + ("?:\\Windows\\TempInst\\*", + "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\", + "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\")) + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Script Proxy Execution +** ID: T1216 +** Reference URL: https://attack.mitre.org/techniques/T1216/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: CMSTP +** ID: T1218.003 +** Reference URL: https://attack.mitre.org/techniques/T1218/003/ +* Sub-technique: +** Name: InstallUtil +** ID: T1218.004 +** Reference URL: https://attack.mitre.org/techniques/T1218/004/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ +* Sub-technique: +** Name: Regsvcs/Regasm +** ID: T1218.009 +** Reference URL: https://attack.mitre.org/techniques/T1218/009/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ +* Technique: +** Name: XSL Script Processing +** ID: T1220 +** Reference URL: https://attack.mitre.org/techniques/T1220/ +* Technique: +** Name: Virtualization/Sandbox Evasion +** ID: T1497 +** Reference URL: https://attack.mitre.org/techniques/T1497/ +* Sub-technique: +** Name: Time Based Evasion +** ID: T1497.003 +** Reference URL: https://attack.mitre.org/techniques/T1497/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-deleting-backup-catalogs-with-wbadmin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-deleting-backup-catalogs-with-wbadmin.asciidoc new file mode 100644 index 0000000000..93eed8047e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-deleting-backup-catalogs-with-wbadmin.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-11-17-deleting-backup-catalogs-with-wbadmin]] +=== Deleting Backup Catalogs with Wbadmin + +Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Deleting Backup Catalogs with Wbadmin* + + +Windows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks. + +This rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check if any files on the host machine have been encrypted. + + +*False positive analysis* + + +- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate. + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wbadmin.exe" or ?process.pe.original_file_name == "WBADMIN.EXE") and + process.args : "catalog" and process.args : "delete" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-disabling-user-account-control-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-disabling-user-account-control-via-registry-modification.asciidoc new file mode 100644 index 0000000000..4b9be438c7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-disabling-user-account-control-via-registry-modification.asciidoc @@ -0,0 +1,182 @@ +[[prebuilt-rule-8-11-17-disabling-user-account-control-via-registry-modification]] +=== Disabling User Account Control via Registry Modification + +User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.greyhathacker.net/?p=796 +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Disabling User Account Control via Registry Modification* + + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works[official Microsoft docs page]. + +Attackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes. +- Retrieve the suspicious processes' executables and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore UAC settings to the desired state. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + registry.path : + ( + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" + ) and + registry.data.strings : ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-dns-over-https-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-dns-over-https-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..52f7e1211c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-dns-over-https-enabled-via-registry.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-11-17-dns-over-https-enabled-via-registry]] +=== DNS-over-HTTPS Enabled via Registry + +Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html +* https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 110 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and + registry.data.strings : "1") or + (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and + registry.data.strings : "secure") or + (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and + registry.data.strings : "1") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-dynamic-linker-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-dynamic-linker-copy.asciidoc new file mode 100644 index 0000000000..3d3d5e40ae --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-dynamic-linker-copy.asciidoc @@ -0,0 +1,192 @@ +[[prebuilt-rule-8-11-17-dynamic-linker-copy]] +=== Dynamic Linker Copy + +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Dynamic Linker Copy* + + +The Linux dynamic linker is responsible for loading shared libraries required by executables at runtime. It is a critical component of the Linux operating system and should not be tampered with. + +Adversaries may attempt to copy the dynamic linker binary and create a backup copy before patching it to inject and preload malicious shared object files. This technique has been observed in recent Linux malware attacks and is considered highly suspicious or malicious. + +The detection rule 'Dynamic Linker Copy' is designed to identify such abuse by monitoring for processes with names "cp" or "rsync" that involve copying the dynamic linker binary ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2") and modifying the "/etc/ld.so.preload" file. Additionally, the rule checks for the creation of new files with the "so" extension on Linux systems. By detecting these activities within a short time span (1 minute), the rule aims to alert security analysts to potential malicious behavior. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible investigation steps* + + +- Investigate the dynamic linker that was copied or altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path =\n'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path =\n'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path =\n'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path =\n'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. +- The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Modification of Dynamic Linker Preload Shared Object Inside A Container - 342f834b-21a6-41bf-878c-87d116eba3ee +- Modification of Dynamic Linker Preload Shared Object - 717f82c2-7741-4f9b-85b8-d06aeb853f4f +- Shared Object Created or Changed by Previously Unknown Process - aebaa51f-2a91-4f6a-850b-b601db2293f4 + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m +[process where host.os.type == "linux" and event.type == "start" and process.name in ("cp", "rsync") and + process.args in ( + "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2", + "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2" + )] +[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ec2-ami-shared-with-another-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ec2-ami-shared-with-another-account.asciidoc new file mode 100644 index 0000000000..0ec7696a42 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ec2-ami-shared-with-another-account.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-11-17-ec2-ami-shared-with-another-account]] +=== EC2 AMI Shared with Another Account + +Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html +* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html +* https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Threat Detection +* Tactic: Exfiltration + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating EC2 AMI Shared with Another Account* + + +This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control. + + +*Possible Investigation Steps* + + +- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared. +- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources. +- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments. +- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing. + + +*False Positive Analysis* + + +- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating. +- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior. + + +*Response and Remediation* + + +- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI. +- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. +- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access. +- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing. + + +*Additional Information* + + +For more information on managing and sharing AMIs, refer to the https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html[Amazon EC2 User Guide on AMIs] and https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html[Sharing AMIs]. Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/[here]. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" + and event.action: ModifyImageAttribute and event.outcome: success + and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-encoded-executable-stored-in-the-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-encoded-executable-stored-in-the-registry.asciidoc new file mode 100644 index 0000000000..284d7bd207 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-encoded-executable-stored-in-the-registry.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-11-17-encoded-executable-stored-in-the-registry]] +=== Encoded Executable Stored in the Registry + +Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.registry-* +* endgame-* +* logs-windows.sysmon_operational-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and +/* update here with encoding combinations */ + registry.data.strings : "TVqQAAMAAAAEAAAA*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-encrypting-files-with-winrar-or-7z.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-encrypting-files-with-winrar-or-7z.asciidoc new file mode 100644 index 0000000000..28e028a73a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-encrypting-files-with-winrar-or-7z.asciidoc @@ -0,0 +1,153 @@ +[[prebuilt-rule-8-11-17-encrypting-files-with-winrar-or-7z]] +=== Encrypting Files with WinRar or 7z + +Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Encrypting Files with WinRar or 7z* + + +Attackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender. + +These steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages. + + +*Possible investigation steps* + + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the encrypted file. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if the password used in the encryption was included in the command line. +- Decrypt the `.rar`/`.zip` and check if the information is sensitive. +- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file. +- Investigate if the file was transferred to an attacker-controlled server. + + +*False positive analysis* + + +- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ( + ( + process.name:"rar.exe" or ?process.code_signature.subject_name == "win.rar GmbH" or + ?process.pe.original_file_name == "Command line RAR" + ) and + process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*") + ) or + ( + ?process.pe.original_file_name in ("7z.exe", "7za.exe") and + process.args == "a" and process.args : "-p*" + ) +) and + not process.parent.executable : ( + "C:\\Program Files\\*.exe", + "C:\\Program Files (x86)\\*.exe", + "?:\\ManageEngine\\*\\jre\\bin\\java.exe", + "?:\\Nox\\bin\\Nox.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ +* Technique: +** Name: Archive Collected Data +** ID: T1560 +** Reference URL: https://attack.mitre.org/techniques/T1560/ +* Sub-technique: +** Name: Archive via Utility +** ID: T1560.001 +** Reference URL: https://attack.mitre.org/techniques/T1560/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumerating-domain-trusts-via-dsquery-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumerating-domain-trusts-via-dsquery-exe.asciidoc new file mode 100644 index 0000000000..4d92b9ab09 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumerating-domain-trusts-via-dsquery-exe.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-11-17-enumerating-domain-trusts-via-dsquery-exe]] +=== Enumerating Domain Trusts via DSQUERY.EXE + +Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11) +* https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Enumerating Domain Trusts via DSQUERY.EXE* + + +Active Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a "trusting" domain permits users from a "trusted" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains. + +This rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + + +*Related rules* + + +- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "dsquery.exe" or ?process.pe.original_file_name: "dsquery.exe") and + process.args : "*objectClass=trustedDomain*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumerating-domain-trusts-via-nltest-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumerating-domain-trusts-via-nltest-exe.asciidoc new file mode 100644 index 0000000000..81bddc08e0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumerating-domain-trusts-via-nltest-exe.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-11-17-enumerating-domain-trusts-via-nltest-exe]] +=== Enumerating Domain Trusts via NLTEST.EXE + +Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11) +* https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Enumerating Domain Trusts via NLTEST.EXE* + + +Active Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a "trusting" domain permits users from a "trusted" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains. + +This rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + + +*Related rules* + + +- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "nltest.exe" and process.args : ( + "/DCLIST:*", "/DCNAME:*", "/DSGET*", + "/LSAQUERYFTI:*", "/PARENTDOMAIN", + "/DOMAIN_TRUSTS", "/BDC_QUERY:*" + ) and +not process.parent.name : "PDQInventoryScanner.exe" and +not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumeration-command-spawned-via-wmiprvse.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumeration-command-spawned-via-wmiprvse.asciidoc new file mode 100644 index 0000000000..2ec567c934 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-enumeration-command-spawned-via-wmiprvse.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-8-11-17-enumeration-command-spawned-via-wmiprvse]] +=== Enumeration Command Spawned via WMIPrvSE + +Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.command_line != null and + process.name: + ( + "arp.exe", + "dsquery.exe", + "dsget.exe", + "gpresult.exe", + "hostname.exe", + "ipconfig.exe", + "nbtstat.exe", + "net.exe", + "net1.exe", + "netsh.exe", + "netstat.exe", + "nltest.exe", + "ping.exe", + "qprocess.exe", + "quser.exe", + "qwinsta.exe", + "reg.exe", + "sc.exe", + "systeminfo.exe", + "tasklist.exe", + "tracert.exe", + "whoami.exe" + ) and + process.parent.name:"wmiprvse.exe" and + not ( + process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and + process.args : ("demand", "disabled") + ) and + not process.args : "tenable_mw_scan" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ +* Sub-technique: +** Name: Internet Connection Discovery +** ID: T1016.001 +** Reference URL: https://attack.mitre.org/techniques/T1016/001/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-executable-masquerading-as-kernel-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-executable-masquerading-as-kernel-process.asciidoc new file mode 100644 index 0000000000..f83faed662 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-executable-masquerading-as-kernel-process.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-11-17-executable-masquerading-as-kernel-process]] +=== Executable Masquerading as Kernel Process + +Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.name : ("kworker*", "kthread*") and process.executable != null + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-exporting-exchange-mailbox-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-exporting-exchange-mailbox-via-powershell.asciidoc new file mode 100644 index 0000000000..a184330bef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-exporting-exchange-mailbox-via-powershell.asciidoc @@ -0,0 +1,162 @@ +[[prebuilt-rule-8-11-17-exporting-exchange-mailbox-via-powershell]] +=== Exporting Exchange Mailbox via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 213 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Exporting Exchange Mailbox via PowerShell* + + +Email mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors. + +The `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. + +Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the export operation: + - Identify the user account that performed the action and whether it should perform this kind of action. + - Contact the account owner and confirm whether they are aware of this activity. + - Check if this operation was approved and performed according to the organization's change management policy. + - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests. + - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the "Mailbox Import Export" privilege for abnormal activity. +- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export. +- If the operation was completed successfully: + - Check if the file is on the path specified in the command. + - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration. + + +*False positive analysis* + + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior. +- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges of users with the "Mailbox Import Export" privilege to ensure that the least privilege principle is being followed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Remote Email Collection +** ID: T1114.002 +** Reference URL: https://attack.mitre.org/techniques/T1114/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc new file mode 100644 index 0000000000..c338a963de --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-11-17-first-time-seen-aws-secret-value-accessed-in-secrets-manager]] +=== First Time Seen AWS Secret Value Accessed in Secrets Manager + +An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html +* https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/ +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 311 + +*Rule authors*: + +* Nick Jones +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager* + + +AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. + +This rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule[New Terms] rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days. + + +*Possible investigation steps* + + +- Identify the account and its role in the environment, and inspect the related policy. +- Identify the applications that should use this account. +- Investigate other alerts associated with the user account during the past 48 hours. +- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. +- Contact the account owner and confirm whether they are aware of this activity. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- Review IAM permission policies for the user identity and specific secrets accessed. +- Examine the request parameters. These might indicate the source of the program or the nature of its tasks. +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + + +*False positive analysis* + + +- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/[outlined] by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +==== Setup + + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and + event.action:GetSecretValue and event.outcome:success and aws.cloudtrail.user_identity.session_context.session_issuer.type: Role and + not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-first-time-seen-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-first-time-seen-driver-loaded.asciidoc new file mode 100644 index 0000000000..bb5657737e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-first-time-seen-driver-loaded.asciidoc @@ -0,0 +1,153 @@ +[[prebuilt-rule-8-11-17-first-time-seen-driver-loaded]] +=== First Time Seen Driver Loaded + +Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.library-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating First Time Seen Driver Loaded* + + +A driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability. + +Attackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware. + +Read the complete research on "Stopping Vulnerable Driver Attacks" done by Elastic Security Labs https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks[here]. + +This rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context: + - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field. + - Examine the digital signature of the driver, and check if it's valid. + - Examine the creation and modification timestamps of the file: + - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `"dll.Ext.relative_file_name_modify_time"` fields, with the values being seconds. + - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation. + - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. + - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Use Osquery to investigate the drivers loaded into the system. + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} +- Identify the driver's `Device Name` and `Service Name`. +- Check for alerts from the rules specified in the `Related Rules` section. + + +*False positive analysis* + + +- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk. + + +*Related Rules* + + +- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa +- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd +- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode) +- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed. + - This can be done via PowerShell `Remove-Service` cmdlet. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Ensure that the Driver Signature Enforcement is enabled on the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:"driver" and host.os.type:windows and event.action:"load" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-github-protected-branch-settings-changed.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-github-protected-branch-settings-changed.asciidoc new file mode 100644 index 0000000000..c66bab47cf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-github-protected-branch-settings-changed.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-17-github-protected-branch-settings-changed]] +=== GitHub Protected Branch Settings Changed + +This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks. + +*Rule type*: eql + +*Rule indices*: + +* logs-github.audit-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Cloud +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Github + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +configuration where event.dataset == "github.audit" + and github.category == "protected_branch" and event.type == "change" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-mean-of-process-arguments-in-an-rdp-session.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-mean-of-process-arguments-in-an-rdp-session.asciidoc new file mode 100644 index 0000000000..d307eeda13 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-mean-of-process-arguments-in-an-rdp-session.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-high-mean-of-process-arguments-in-an-rdp-session]] +=== High Mean of Process Arguments in an RDP Session + +A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows RDP process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-mean-of-rdp-session-duration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-mean-of-rdp-session-duration.asciidoc new file mode 100644 index 0000000000..6486a2165a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-mean-of-rdp-session-duration.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-high-mean-of-rdp-session-duration]] +=== High Mean of RDP Session Duration + +A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows RDP process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-variance-in-rdp-session-duration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-variance-in-rdp-session-duration.asciidoc new file mode 100644 index 0000000000..60b287d2b3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-high-variance-in-rdp-session-duration.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-high-variance-in-rdp-session-duration]] +=== High Variance in RDP Session Duration + +A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows RDP process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-insecure-aws-ec2-vpc-security-group-ingress-rule-added.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-insecure-aws-ec2-vpc-security-group-ingress-rule-added.asciidoc new file mode 100644 index 0000000000..a45cdbb515 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-insecure-aws-ec2-vpc-security-group-ingress-rule-added.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-11-17-insecure-aws-ec2-vpc-security-group-ingress-rule-added]] +=== Insecure AWS EC2 VPC Security Group Ingress Rule Added + +Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html +* https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html +* https://www.linkedin.com/pulse/my-backdoors-your-aws-infrastructure-part-3-network-micha%C5%82-brygidyn/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Threat Detection +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating Insecure AWS EC2 VPC Security Group Ingress Rule Added* + + +This rule detects the addition of ingress rules to a VPC security group that allow traffic from any IP address (`0.0.0.0/0` or `::/0`) to sensitive ports commonly used for remote access, such as SSH (port 22) and RDP (port 3389). This configuration change can significantly increase the exposure of EC2 instances to potential threats, making it crucial to understand the context and legitimacy of such changes. + + +*Possible Investigation Steps:* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Investigate whether this actor has the necessary permissions and typically performs these actions. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand exactly what changes were made to the security group. Check for any unusual parameters that could suggest a misconfiguration or malicious intent. +- **Analyze the Source of the Request**: Look at the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unusual location could indicate compromised credentials. +- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications outside of typical business hours might warrant additional scrutiny. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor engaged in other potentially suspicious activities. + + +*False Positive Analysis:* + + +- **Legitimate Administrative Actions**: Verify if the ingress rule change aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management tickets or systems. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. Consistency with past legitimate actions might indicate a false alarm. +- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended as per policy. + + +*Response and Remediation:* + + +- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, revert the security group rules to their previous state to close any unintended access. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar security group changes, especially those that open access to well-known ports from any IP address. +- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning security group management. +- **Audit Security Groups and Policies**: Conduct a comprehensive audit of all security groups and associated policies to ensure they adhere to the principle of least privilege. +- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. + + +*Additional Information:* + + +For further guidance on managing security group rules and securing AWS environments, refer to the https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html[Amazon VPC Security Groups documentation] and AWS best practices for security. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" + and event.provider: ec2.amazonaws.com + and event.action: AuthorizeSecurityGroupIngress + and event.outcome: success + and aws.cloudtrail.flattened.request_parameters.cidrIp: ("0.0.0.0/0" or "::/0") + and aws.cloudtrail.flattened.request_parameters.fromPort: ( + 21 or 22 or 23 or 445 or 3389 or 5985 or 5986) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Firewall +** ID: T1562.007 +** Reference URL: https://attack.mitre.org/techniques/T1562/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-kirbi-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-kirbi-file-creation.asciidoc new file mode 100644 index 0000000000..c0d3f2d8d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-kirbi-file-creation.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-17-kirbi-file-creation]] +=== Kirbi File Creation + +Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and file.extension : "kirbi" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-local-account-tokenfilter-policy-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-local-account-tokenfilter-policy-disabled.asciidoc new file mode 100644 index 0000000000..3b2479ab06 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-local-account-tokenfilter-policy-disabled.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-11-17-local-account-tokenfilter-policy-disabled]] +=== Local Account TokenFilter Policy Disabled + +Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439 +* https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167 +* https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\*\\LocalAccountTokenFilterPolicy", + "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy", + "MACHINE\\*\\LocalAccountTokenFilterPolicy") and + registry.data.strings : ("1", "0x00000001") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Pass the Hash +** ID: T1550.002 +** Reference URL: https://attack.mitre.org/techniques/T1550/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc new file mode 100644 index 0000000000..ee7d6eaad2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain]] +=== Machine Learning Detected a DNS Request Predicted to be a DGA Domain + +A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga +* https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. + + +*DGA Detection Setup* + +The DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events. + + +*Prerequisite Requirements:* + +- Fleet is required for DGA Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- DNS events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend], https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration, or https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html[Packetbeat]. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. +- To set up and run Packetbeat, follow https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html[this] guide. + + +*The following steps should be executed to install assets associated with the DGA Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. + + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc new file mode 100644 index 0000000000..8a6fa09454 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score]] +=== Machine Learning Detected a DNS Request With a High DGA Probability Score + +A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga +* https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. + + +*DGA Detection Setup* + +The DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events. + + +*Prerequisite Requirements:* + +- Fleet is required for DGA Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- DNS events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend], https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration, or https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html[Packetbeat]. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. +- To set up and run Packetbeat, follow https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html[this] guide. + + +*The following steps should be executed to install assets associated with the DGA Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. + + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_probability > 0.98 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc new file mode 100644 index 0000000000..5fe8c557b3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc @@ -0,0 +1,102 @@ +[[prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity]] +=== Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity + +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. + + +*LotL Attack Detection Setup* + +The LotL Attack Detection integration detects living-off-the-land activity in Windows process events. + + +*Prerequisite Requirements:* + +- Fleet is required for LotL Attack Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html). +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To set up and run Winlogbeat, follow https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html[this] guide. + + +*The following steps should be executed to install assets associated with the LotL Attack Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. + + +==== Rule query + + +[source, js] +---------------------------------- +process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc new file mode 100644 index 0000000000..1747a4a54a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score]] +=== Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score + +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. + + +*LotL Attack Detection Setup* + +The LotL Attack Detection integration detects living-off-the-land activity in Windows process events. + + +*Prerequisite Requirements:* + +- Fleet is required for LotL Attack Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html). +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To set up and run Winlogbeat, follow https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html[this] guide. + + +*The following steps should be executed to install assets associated with the LotL Attack Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. + + +==== Rule query + + +[source, js] +---------------------------------- +process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc new file mode 100644 index 0000000000..5521f0e06b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-17-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain]] +=== Machine Learning Detected DGA activity using a known SUNBURST DNS domain + +A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga +* https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. + + +*DGA Detection Setup* + +The DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events. + + +*Prerequisite Requirements:* + +- Fleet is required for DGA Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- DNS events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend], https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration, or https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html[Packetbeat]. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. +- To set up and run Packetbeat, follow https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html[this] guide. + + +*The following steps should be executed to install assets associated with the DGA Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Configure the ingest pipeline**. + + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-microsoft-windows-defender-tampering.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-microsoft-windows-defender-tampering.asciidoc new file mode 100644 index 0000000000..8511ba6efe --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-microsoft-windows-defender-tampering.asciidoc @@ -0,0 +1,171 @@ +[[prebuilt-rule-8-11-17-microsoft-windows-defender-tampering]] +=== Microsoft Windows Defender Tampering + +Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +* https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html +* https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html +* https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html +* https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html +* https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html +* https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html +* https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 111 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Microsoft Windows Defender Tampering* + + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the registry for modifications that disable Windows Defender features. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy. + + +*False positive analysis* + + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed. + + +*Related rules* + + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Take actions to restore the appropriate Windows Defender antivirus configurations. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features\\TamperProtection" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIntrusionPreventionSystem" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScriptScanning" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting\\DisableEnhancedNotifications" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\DisableBlockAtFirstSeen" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpynetReporting" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SubmitSamplesConsent" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" and + registry.data.strings : ("1", "0x00000001")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-mimikatz-memssp-log-file-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-mimikatz-memssp-log-file-detected.asciidoc new file mode 100644 index 0000000000..dc0b364308 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-mimikatz-memssp-log-file-detected.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-11-17-mimikatz-memssp-log-file-detected]] +=== Mimikatz Memssp Log File Detected + +Identifies the password log file from the default Mimikatz memssp module. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 211 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Mimikatz Memssp Log File Detected* + + +https://github.com/gentilkiwi/mimikatz[Mimikatz] is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network. + +This rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon. + + +*Possible investigation steps* + + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host. +- Retrieve and inspect the log file contents. +- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files. + - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Identify the process that created the DLL using file creation events. + + +*False positive analysis* + + +- This file name `mimilsa.log` should not legitimately be created. + + +*Related rules* + + +- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the host is a Domain Controller (DC): + - Activate your incident response plan for total Active Directory compromise. + - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reboot the host to remove the injected SSP from memory. +- Reimage the host operating system or restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-modification-of-amsienable-registry-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-modification-of-amsienable-registry-key.asciidoc new file mode 100644 index 0000000000..068de73e73 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-modification-of-amsienable-registry-key.asciidoc @@ -0,0 +1,162 @@ +[[prebuilt-rule-8-11-17-modification-of-amsienable-registry-key]] +=== Modification of AmsiEnable Registry Key + +Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf +* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Modification of AmsiEnable Registry Key* + + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell. + +Since AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it. + +This rule monitors the modifications to the Software\Microsoft\Windows Script\Settings\AmsiEnable registry key. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Retrieve scripts or Microsoft Office files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences on other hosts. + + +*False positive analysis* + + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections. + + +*Related rules* + + +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Delete or set the key to its default value. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + registry.path : ( + "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", + "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" + ) and + registry.data.strings: ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-network-activity-detected-via-kworker.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-network-activity-detected-via-kworker.asciidoc new file mode 100644 index 0000000000..ef8a81fc2c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-network-activity-detected-via-kworker.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-11-17-network-activity-detected-via-kworker]] +=== Network Activity Detected via Kworker + +This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and +process.name:kworker* and not destination.ip:( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.168.0.0/16 or + 224.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" +) and not destination.port:2049 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-new-systemd-service-created-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-new-systemd-service-created-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..ba38462edf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-new-systemd-service-created-by-previously-unknown-process.asciidoc @@ -0,0 +1,220 @@ +[[prebuilt-rule-8-11-17-new-systemd-service-created-by-previously-unknown-process]] +=== New Systemd Service Created by Previously Unknown Process + +Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.com/article/20/7/systemd-timers +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating New Systemd Service Created by Previously Unknown Process* + + +Systemd service files are configuration files in Linux systems used to define and manage system services. + +Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +This rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the systemd service file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`. +- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:("creation" or "file_create_event") and file.path:( + /etc/systemd/system/* or + /usr/local/lib/systemd/system/* or + /lib/systemd/system/* or + /usr/lib/systemd/system/* or + /home/*/.config/systemd/user/* +) and +not ( + process.name:( + "dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or + "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared" or "packagekitd" or + "podman" + ) or + file.extension:("swp" or "swpx") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-new-systemd-timer-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-new-systemd-timer-created.asciidoc new file mode 100644 index 0000000000..5fa3b50b80 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-new-systemd-timer-created.asciidoc @@ -0,0 +1,187 @@ +[[prebuilt-rule-8-11-17-new-systemd-timer-created]] +=== New Systemd Timer Created + +Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.com/article/20/7/systemd-timers +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating New Systemd Timer Created* + + +Systemd timers are used for scheduling and automating recurring tasks or services on Linux systems. + +Attackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. + +This rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the timer file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`. +- Search for the systemd service file named similarly to the timer that was created. +- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and +file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or +/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not ( + (process.name : ( + "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared" or "pacman" or "podman" or + "pamac-daemon" + )) + or (file.name:apt-*.timer) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Systemd Timers +** ID: T1053.006 +** Reference URL: https://attack.mitre.org/techniques/T1053/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-bits-job-notify-cmdline.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-bits-job-notify-cmdline.asciidoc new file mode 100644 index 0000000000..f99dabddc2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-bits-job-notify-cmdline.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-11-17-persistence-via-bits-job-notify-cmdline]] +=== Persistence via BITS Job Notify Cmdline + +An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* winlogbeat-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pentestlab.blog/2019/10/30/persistence-bits-jobs/ +* https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline +* https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "svchost.exe" and process.parent.args : "BITS" and + not process.executable : + ("?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\WINDOWS\\system32\\directxdatabaseupdater.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: BITS Jobs +** ID: T1197 +** Reference URL: https://attack.mitre.org/techniques/T1197/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc new file mode 100644 index 0000000000..5fb12dab55 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc @@ -0,0 +1,214 @@ +[[prebuilt-rule-8-11-17-persistence-via-kde-autostart-script-or-desktop-file-modification]] +=== Persistence via KDE AutoStart Script or Desktop File Modification + +Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://userbase.kde.org/System_Settings/Autostart +* https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/ +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Persistence via KDE AutoStart Script or Desktop File Modification* + + +K Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon. + +Adversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files. + +The detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions ".sh" or ".desktop" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible investigation steps* + + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False positive analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + +*Custom Ingest Pipeline* + +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html[guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type != "deletion" and + file.extension in ("sh", "desktop") and + file.path : + ( + "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + "/etc/xdg/autostart/*", "/usr/share/autostart/*" + ) and + not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", + "rpm", "pacman", "podman", "nautilus", "remmina", "cinnamon-settings.py") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-scheduled-job-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-scheduled-job-creation.asciidoc new file mode 100644 index 0000000000..1e9c45e76a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-persistence-via-scheduled-job-creation.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-11-17-persistence-via-scheduled-job-creation]] +=== Persistence via Scheduled Job Creation + +A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 210 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" and + not ( + ( + process.executable : "?:\\Program Files\\CCleaner\\CCleaner64.exe" and + file.path : "?:\\Windows\\Tasks\\CCleanerCrashReporting.job" + ) or + ( + process.executable : ( + "?:\\Program Files (x86)\\ManageEngine\\UEMS_Agent\\bin\\dcagentregister.exe", + "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcagentregister.exe" + ) and + file.path : "?:\\Windows\\Tasks\\DCAgentUpdater.job" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-port-forwarding-rule-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-port-forwarding-rule-addition.asciidoc new file mode 100644 index 0000000000..7d339de0d8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-port-forwarding-rule-addition.asciidoc @@ -0,0 +1,151 @@ +[[prebuilt-rule-8-11-17-port-forwarding-rule-addition]] +=== Port Forwarding Rule Addition + +Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Port Forwarding Rule Addition* + + +Network port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer. + +Attackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems. + +This rule monitors the modifications to the `HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\` subkeys. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used. + - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations. + + +*False positive analysis* + + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Delete the port forwarding rule. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*", + "MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-buffer-overflow-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-buffer-overflow-attack-detected.asciidoc new file mode 100644 index 0000000000..2332712f78 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-buffer-overflow-attack-detected.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-11-17-potential-buffer-overflow-attack-detected]] +=== Potential Buffer Overflow Attack Detected + +Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts. + +*Rule type*: threshold + +*Rule indices*: + +* .alerts-security.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Initial Access +* Use Case: Vulnerability +* Rule Type: Higher-Order Rule + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + + +This rule leverages alert data from other prebuilt detection rules to function correctly. + + +*Dependent Elastic Detection Rule Enablement* + +As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled: +- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013) + + +==== Rule query + + +[source, js] +---------------------------------- +kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc new file mode 100644 index 0000000000..5efbe63e83 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-destination-port]] +=== Potential Data Exfiltration Activity to an Unusual Destination Port + +A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded +* https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). + + +*Data Exfiltration Detection Setup* + +The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Data Exfiltration Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Network events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] or https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. + + +*The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc new file mode 100644 index 0000000000..e59a29cc5d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-ip-address]] +=== Potential Data Exfiltration Activity to an Unusual IP Address + +A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded +* https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). + + +*Data Exfiltration Detection Setup* + +The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Data Exfiltration Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Network events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] or https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. + + +*The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc new file mode 100644 index 0000000000..d219c8e04c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-iso-code]] +=== Potential Data Exfiltration Activity to an Unusual ISO Code + +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded +* https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). + + +*Data Exfiltration Detection Setup* + +The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Data Exfiltration Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Network events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] or https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. + + +*The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc new file mode 100644 index 0000000000..026f0f6e09 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-region]] +=== Potential Data Exfiltration Activity to an Unusual Region + +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded +* https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). + + +*Data Exfiltration Detection Setup* + +The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Data Exfiltration Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Network events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] or https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. + + +*The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-dga-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-dga-activity.asciidoc new file mode 100644 index 0000000000..d3851d4c74 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-dga-activity.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-11-17-potential-dga-activity]] +=== Potential DGA Activity + +A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga +* https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration + +*Tags*: + +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. + + +*DGA Detection Setup* + +The DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events. + + +*Prerequisite Requirements:* + +- Fleet is required for DGA Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- DNS events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend], https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration, or https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html[Packetbeat]. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. +- To set up and run Packetbeat, follow https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html[this] guide. + + +*The following steps should be executed to install assets associated with the DGA Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Anomaly Detection Setup* + +Before you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. +- Go to the Kibana homepage. Under Analytics, click Machine Learning. +- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your enriched DNS events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture. +- If the selected Data View contains events that match the query in https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json[this] configuration file, you will see a card for DGA under "Use preconfigured jobs". +- Keep the default settings and click "Create jobs" to start the anomaly detection job and datafeed. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-linux-backdoor-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-linux-backdoor-user-account-creation.asciidoc new file mode 100644 index 0000000000..fa9e57b260 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-linux-backdoor-user-account-creation.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-11-17-potential-linux-backdoor-user-account-creation]] +=== Potential Linux Backdoor User Account Creation + +Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Auditd Manager + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Linux Backdoor User Account Creation* + + +The `usermod` command is used to modify user account attributes and settings in Linux-based operating systems. + +Attackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account. + +This rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible investigation steps* + +- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes. + - !{osquery{"label":"Osquery - Retrieve User Accounts with a UID of 0","query":"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE\n'0'\n"}} +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Identify if the account was added to privileged groups or assigned special privileges after creation. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific Group","query":"SELECT * FROM groups WHERE groupname = {{group.name}}"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the created account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") + and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-network-sweep-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-network-sweep-detected.asciidoc new file mode 100644 index 0000000000..0bba01ec43 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-network-sweep-detected.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-11-17-potential-network-sweep-detected]] +=== Potential Network Sweep Detected + +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. + +*Rule type*: threshold + +*Rule indices*: + +* packetbeat-* +* auditbeat-* +* filebeat-* +* logs-network_traffic.* +* logs-endpoint.events.network-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and +source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-init-d-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-init-d-detected.asciidoc new file mode 100644 index 0000000000..998dcc5c0b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-init-d-detected.asciidoc @@ -0,0 +1,189 @@ +[[prebuilt-rule-8-11-17-potential-persistence-through-init-d-detected]] +=== Potential Persistence Through init.d Detected + +Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts +* https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Persistence Through init.d Detected* + + +The `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown. + +Attackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory. + +This rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +*Possible Investigation Steps* + + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\n'/run/systemd/generator.late/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the maliciously created service/init.d files or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +file.path : /etc/init.d/* and not ( + (process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or "rpm" or + "vmis-launcher" or "exe" or "platform-python" or "executor" or "podman")) or + (file.extension : ("swp" or "swpx")) or + (process.name:mv and file.name:*.dpkg-remove) or + (process.name:sed and file.name:sed*) or + (process.name:systemd and file.name:*.dpkg-new) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-motd-file-creation-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-motd-file-creation-detected.asciidoc new file mode 100644 index 0000000000..24973e0b97 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-motd-file-creation-detected.asciidoc @@ -0,0 +1,181 @@ +[[prebuilt-rule-8-11-17-potential-persistence-through-motd-file-creation-detected]] +=== Potential Persistence Through MOTD File Creation Detected + +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 10 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Persistence Through MOTD File Creation Detected* + + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges. + +This rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE\n'/usr/lib/update-notifier/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + + +*Related Rules* + + +- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447 + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and +file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( + dpkg or dockerd or rpm or executor or dnf or podman or ln or yum +) and not ( + (process.name:mv and file.extension:dpkg-remove) or + (file.extension:(swp or swpx)) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-run-control-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-run-control-detected.asciidoc new file mode 100644 index 0000000000..abdf899b5b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-persistence-through-run-control-detected.asciidoc @@ -0,0 +1,184 @@ +[[prebuilt-rule-8-11-17-potential-persistence-through-run-control-detected]] +=== Potential Persistence Through Run Control Detected + +This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts +* https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Persistence Through Run Control Detected* + + +The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. + +There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. + +Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`. + - !{osquery{"label":"Osquery - Retrieve rc-local.service File Information","query":"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\n"}} + - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file. + - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep "rc-local.service|/etc/rc.local Compatibility"` can be executed to check for the execution of the service. + - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Response and remediation* + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the `service/rc.local` files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "file" and +event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and +file.path : "/etc/rc.local" and not process.name : ( + "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" +) and not file.extension : ("swp" or "swpx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc new file mode 100644 index 0000000000..b2673a278a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-11-17-potential-ransomware-behavior-high-count-of-readme-files-by-system]] +=== Potential Ransomware Behavior - High count of Readme files by System + +This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.file-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Possible investigation steps* + + +- Investigate the content of the readme files. +- Investigate any file names with unusual extensions. +- Investigate any incoming network connection to port 445 on this host. +- Investigate any network logon events to this host. +- Identify the total number and type of modified files by pid 4. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Local file modification from a Kernel mode driver. + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5 +- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and + file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-ransomware-note-file-dropped-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-ransomware-note-file-dropped-via-smb.asciidoc new file mode 100644 index 0000000000..b90f87b91d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-ransomware-note-file-dropped-via-smb.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-11-17-potential-ransomware-note-file-dropped-via-smb]] +=== Potential Ransomware Note File Dropped via SMB + +Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events. + + +*Possible investigation steps* + + +- Investigate the source.ip address connecting to port 445 on this host. +- Identify the user account that performed the file creation via SMB. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Remote file creation with similar file naming convention via SMB. + + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "windows" and + event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and + source.ip != "127.0.0.1" and source.ip != "::1"] + [file where host.os.type == "windows" and event.action == "creation" and + process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and file.extension : ("hta", "txt", "readme", "htm*") and + /* ransom file name keywords */ + file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-remote-desktop-tunneling-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-remote-desktop-tunneling-detected.asciidoc new file mode 100644 index 0000000000..e09b0dcff8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-remote-desktop-tunneling-detected.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-17-potential-remote-desktop-tunneling-detected]] +=== Potential Remote Desktop Tunneling Detected + +Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* winlogbeat-* +* logs-windows.* +* endgame-* +* logs-system.security* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Remote Desktop Tunneling Detected* + + +Protocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination. + +Attackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols. + +This rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine network data to determine if the host communicated with external servers using the tunnel. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + /* RDP port and usual SSH tunneling related switches in command line */ + process.args : "*:3389" and + process.args : ("-L", "-P", "-R", "-pw", "-ssh") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-reverse-shell-via-child.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-reverse-shell-via-child.asciidoc new file mode 100644 index 0000000000..674a1cb4ca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-reverse-shell-via-child.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-11-17-potential-reverse-shell-via-child]] +=== Potential Reverse Shell via Child + +This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a network event that is followed by the creation of a shell process with suspicious command line arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click Add integrations. +- In the query bar, search for Elastic Defend and select the integration to see more details about it. +- Click Add Elastic Defend. +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click Save and Continue. +- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=5s + [network where event.type == "start" and host.os.type == "linux" and + event.action in ("connection_attempted", "connection_accepted") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and + not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] + [process where event.type == "start" and host.os.type == "linux" and event.action == "exec" and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*") + )] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-reverse-shell.asciidoc new file mode 100644 index 0000000000..06f535a21f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-reverse-shell.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-11-17-potential-reverse-shell]] +=== Potential Reverse Shell + +This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [network where event.type == "start" and host.os.type == "linux" and + event.action in ("connection_attempted", "connection_accepted") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and + not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.entity_id + [process where event.type == "start" and host.os.type == "linux" and event.action in ("exec", "fork") and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*") + )] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-suspicious-file-edit.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-suspicious-file-edit.asciidoc new file mode 100644 index 0000000000..ae855cc559 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-potential-suspicious-file-edit.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-11-17-potential-suspicious-file-edit]] +=== Potential Suspicious File Edit + +This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 1 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and file.extension == "swp" and +file.path : ( + /* common interesting files and locations */ + "/etc/.shadow.swp", "/etc/.shadow-.swp", "/etc/.shadow~.swp", "/etc/.gshadow.swp", "/etc/.gshadow-.swp", + "/etc/.passwd.swp", "/etc/.pwd.db.swp", "/etc/.master.passwd.swp", "/etc/.spwd.db.swp", "/etc/security/.opasswd.swp", + "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp", "/etc/ld.so.conf.d/.*.swp", + "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp", "/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", + "/usr/lib/update-notifier/.*.swp", + + /* service, timer, want, socket and lock files */ + "/etc/systemd/system/.*.swp", "/usr/local/lib/systemd/system/.*.swp", "/lib/systemd/system/.*.swp", + "/usr/lib/systemd/system/.*.swp","/home/*/.config/systemd/user/.*.swp", "/run/.*.swp", "/var/run/.*.swp/", + + /* profile and shell configuration files */ + "/home/*.profile.swp", "/home/*.bash_profile.swp", "/home/*.bash_login.swp", "/home/*.bashrc.swp", "/home/*.bash_logout.swp", + "/home/*.zshrc.swp", "/home/*.zlogin.swp", "/home/*.tcshrc.swp", "/home/*.kshrc.swp", "/home/*.config.fish.swp", + "/root/*.profile.swp", "/root/*.bash_profile.swp", "/root/*.bash_login.swp", "/root/*.bashrc.swp", "/root/*.bash_logout.swp", + "/root/*.zshrc.swp", "/root/*.zlogin.swp", "/root/*.tcshrc.swp", "/root/*.kshrc.swp", "/root/*.config.fish.swp" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-powershell-script-block-logging-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-powershell-script-block-logging-disabled.asciidoc new file mode 100644 index 0000000000..5394553d69 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-powershell-script-block-logging-disabled.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-11-17-powershell-script-block-logging-disabled]] +=== PowerShell Script Block Logging Disabled + +Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating PowerShell Script Block Logging Disabled* + + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code. + +PowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands. + + +*Possible investigation steps* + + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense for the user to use PowerShell to complete tasks. +- Investigate if PowerShell scripts were run after logging was disabled. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Related rules* + + +- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 +- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43 +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" + ) and registry.data.strings : ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-prompt-for-credentials-with-osascript.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-prompt-for-credentials-with-osascript.asciidoc new file mode 100644 index 0000000000..1812e3b43f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-prompt-for-credentials-with-osascript.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-11-17-prompt-for-credentials-with-osascript]] +=== Prompt for Credentials with OSASCRIPT + +Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py +* https://ss64.com/osx/osascript.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "exec" and host.os.type == "macos" and + process.name : "osascript" and process.args : "-e" and process.command_line : ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*") and + not (process.parent.executable : "/usr/bin/sudo" and process.command_line : "*Encryption Key Escrow*") and + not (process.command_line : "*-e with timeout of 3600 seconds*" and user.id == "0" and process.parent.executable : "/bin/bash") and + not process.Ext.effective_parent.executable : ("/usr/local/jamf/*", + "/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements", + "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: GUI Input Capture +** ID: T1056.002 +** Reference URL: https://attack.mitre.org/techniques/T1056/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc new file mode 100644 index 0000000000..02a31ff018 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-11-17-quarantine-attrib-removed-by-unsigned-or-untrusted-process]] +=== Quarantine Attrib Removed by Unsigned or Untrusted Process + +Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://nixhacker.com/security-protection-in-macos-1/ +* https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action == "extended_attributes_delete" and host.os.type == "macos" and process.executable != null and +(process.code_signature.trusted == false or process.code_signature.exists == false) and not +process.executable : ("/usr/bin/xattr", + "/System/*", + "/private/tmp/KSInstallAction.*/*/Install Google Software Update.app/Contents/Helpers/ksinstall", + "/Applications/CEWE Fotoschau.app/Contents/MacOS/FotoPlus", + "/Applications/.com.bomgar.scc.*/Remote Support Customer Client.app/Contents/MacOS/sdcust") and not +file.path : "/private/var/folders/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-registry-persistence-via-appcert-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-registry-persistence-via-appcert-dll.asciidoc new file mode 100644 index 0000000000..0c3a1783d0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-registry-persistence-via-appcert-dll.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-17-registry-persistence-via-appcert-dll]] +=== Registry Persistence via AppCert DLL + +Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 210 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and +/* uncomment once stable length(bytes_written_string) > 0 and */ + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", + "MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppCert DLLs +** ID: T1546.009 +** Reference URL: https://attack.mitre.org/techniques/T1546/009/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppCert DLLs +** ID: T1546.009 +** Reference URL: https://attack.mitre.org/techniques/T1546/009/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-route53-resolver-query-log-configuration-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-route53-resolver-query-log-configuration-deleted.asciidoc new file mode 100644 index 0000000000..937d170e7a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-route53-resolver-query-log-configuration-deleted.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-11-17-route53-resolver-query-log-configuration-deleted]] +=== Route53 Resolver Query Log Configuration Deleted + +Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: Amazon Route53 +* Use Case: Log Auditing +* Resources: Investigation Guide +* Tactic: Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating Route53 Resolver Query Log Configuration Deleted* + + +This rule detects when a Route53 Resolver Query Log Configuration is deleted. Deleting these configurations stops the logging of DNS queries and responses, which can significantly impede network monitoring and compromise security visibility. Adversaries may delete these configurations to evade detection, remove evidence, or obscure their activities within a network. + +Adversaries target Route53 Resolver query log configurations because these logs can contain evidence of malicious domain queries or responses. By deleting these logs, an adversary can prevent the capture of information that could reveal unauthorized network activities, aiding in avoiding detection and thwarting incident response efforts. + + +*Possible Investigation Steps* + + +- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated. + - Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion. +- **Contextualize with User Actions**: Assess whether the deletion aligns with the user’s role and job responsibilities. + - Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign. +- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations. + - Investigate any recent permission changes that might indicate role abuse or credentials compromise. +- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion. + - This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems. +- **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action. + + +*False Positive Analysis* + + +- **Legitimate Administrative Actions**: Confirm that the deletion was part of scheduled IT operations or network management activities, possibly linked to maintenance or infrastructure updates. Validate this action against change management records or through interviews with relevant personnel. + + +*Response and Remediation* + + +- **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries. +- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations. + - Adjust AWS IAM policies to reinforce security measures. +- **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions. +- **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities. + + +*Additional Information* + + +For detailed instructions on managing Route53 Resolver and securing its configurations, refer to the https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html[Amazon Route53 Resolver documentation]. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com + and event.action: DeleteResolverQueryLogConfig and event.outcome: success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Logs +** ID: T1562.008 +** Reference URL: https://attack.mitre.org/techniques/T1562/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-service-control-spawned-via-script-interpreter.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-service-control-spawned-via-script-interpreter.asciidoc new file mode 100644 index 0000000000..7230a2b90c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-service-control-spawned-via-script-interpreter.asciidoc @@ -0,0 +1,172 @@ +[[prebuilt-rule-8-11-17-service-control-spawned-via-script-interpreter]] +=== Service Control Spawned via Script Interpreter + +Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* logs-system.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Service Control Spawned via Script Interpreter* + + +Windows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components. + +The `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics. + - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + + +*False positive analysis* + + +- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +/* This rule is not compatible with Sysmon due to user.id issues */ + +process where host.os.type == "windows" and event.type == "start" and + (process.name : "sc.exe" or process.pe.original_file_name == "sc.exe") and + process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", + "wmic.exe", "mshta.exe","powershell.exe", "pwsh.exe") and + process.args:("config", "create", "start", "delete", "stop", "pause") and + /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */ + not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-shared-object-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-shared-object-created-or-changed-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..99251fd0e3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-shared-object-created-or-changed-by-previously-unknown-process.asciidoc @@ -0,0 +1,185 @@ +[[prebuilt-rule-8-11-17-shared-object-created-or-changed-by-previously-unknown-process]] +=== Shared Object Created or Changed by Previously Unknown Process + +This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threatpost.com/sneaky-malware-backdoors-linux/180158/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Shared Object Created or Changed by Previously Unknown Process* + + +A shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. + +Malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. + +This rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the shared object that was created or modified through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE path = {{file.path}}\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and +file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not ( + process.name:("dockerd" or "dpkg" or "rpm" or "snapd" or "yum" or "vmis-launcher" or "pacman" or + "apt-get" or "dnf" or "podman" or "platform-python") or + (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-solarwinds-process-disabling-services-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-solarwinds-process-disabling-services-via-registry.asciidoc new file mode 100644 index 0000000000..bf36f6ca80 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-solarwinds-process-disabling-services-via-registry.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-11-17-solarwinds-process-disabling-services-via-registry]] +=== SolarWinds Process Disabling Services via Registry + +Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Initial Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start" + ) and + registry.data.strings : ("4", "0x00000004") and + process.name : ( + "SolarWinds.BusinessLayerHost*.exe", + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe", + "SolarwindsDiagnostics*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc new file mode 100644 index 0000000000..4d94010407 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device-via-airdrop]] +=== Spike in Bytes Sent to an External Device via Airdrop + +A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded +* https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). + + +*Data Exfiltration Detection Setup* + +The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Data Exfiltration Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- File events collected by the Elastic Defend integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Other Network Medium +** ID: T1011 +** Reference URL: https://attack.mitre.org/techniques/T1011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device.asciidoc new file mode 100644 index 0000000000..51b0b3b9b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device]] +=== Spike in Bytes Sent to an External Device + +A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded +* https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). + + +*Data Exfiltration Detection Setup* + +The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Data Exfiltration Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- File events collected by the Elastic Defend integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-connections-made-from-a-source-ip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-connections-made-from-a-source-ip.asciidoc new file mode 100644 index 0000000000..9369026d8a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-connections-made-from-a-source-ip.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-spike-in-number-of-connections-made-from-a-source-ip]] +=== Spike in Number of Connections Made from a Source IP + +A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows RDP process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc new file mode 100644 index 0000000000..7320ed9ff9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-spike-in-number-of-connections-made-to-a-destination-ip]] +=== Spike in Number of Connections Made to a Destination IP + +A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows RDP process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-processes-in-an-rdp-session.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-processes-in-an-rdp-session.asciidoc new file mode 100644 index 0000000000..ba756513a7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-number-of-processes-in-an-rdp-session.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-spike-in-number-of-processes-in-an-rdp-session]] +=== Spike in Number of Processes in an RDP Session + +A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows RDP process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-remote-file-transfers.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-remote-file-transfers.asciidoc new file mode 100644 index 0000000000..c05202bc0f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-spike-in-remote-file-transfers.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-spike-in-remote-file-transfers]] +=== Spike in Remote File Transfers + +A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-90m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- File events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssh-authorized-keys-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssh-authorized-keys-file-modification.asciidoc new file mode 100644 index 0000000000..94b5227d00 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssh-authorized-keys-file-modification.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-17-ssh-authorized-keys-file-modification]] +=== SSH Authorized Keys File Modification + +The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.type:(change or creation) and + file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and + not process.executable: + (/Library/Developer/CommandLineTools/usr/bin/git or + /usr/local/Cellar/maven/*/libexec/bin/mvn or + /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or + /usr/bin/vim or + /usr/local/Cellar/coreutils/*/bin/gcat or + /usr/bin/bsdtar or + /usr/bin/nautilus or + /usr/bin/scp or + /usr/bin/touch or + /var/lib/docker/* or + /usr/bin/google_guest_agent or + /opt/jc/bin/jumpcloud-agent or + /opt/puppetlabs/puppet/bin/puppet or + /usr/bin/chef-client +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: SSH Authorized Keys +** ID: T1098.004 +** Reference URL: https://attack.mitre.org/techniques/T1098/004/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssh-authorized-keys-file-modified-inside-a-container.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssh-authorized-keys-file-modified-inside-a-container.asciidoc new file mode 100644 index 0000000000..355edf625f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssh-authorized-keys-file-modified-inside-a-container.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-17-ssh-authorized-keys-file-modified-inside-a-container]] +=== SSH Authorized Keys File Modified Inside a Container + +This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. + +*Rule type*: eql + +*Rule indices*: + +* logs-cloud_defend* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-6m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Data Source: Elastic Defend for Containers +* Domain: Container +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Lateral Movement + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where container.id:"*" and + event.type in ("change", "creation") and file.name: ("authorized_keys", "authorized_keys2", "sshd_config") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: SSH Authorized Keys +** ID: T1098.004 +** Reference URL: https://attack.mitre.org/techniques/T1098/004/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssm-session-started-to-ec2-instance.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssm-session-started-to-ec2-instance.asciidoc new file mode 100644 index 0000000000..ffffa98815 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-ssm-session-started-to-ec2-instance.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-11-17-ssm-session-started-to-ec2-instance]] +=== SSM Session Started to EC2 Instance + +Identifies the first occurrence of an AWS resource establishing a session via SSM to an EC2 instance. Adversaries may use AWS Systems Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used to gain access to the instance and perform actions such as privilege escalation. This rule helps detect the first occurrence of this activity for a given AWS resource. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartSession.html +* https://hackingthe.cloud/aws/post_exploitation/intercept_ssm_communications/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS SSM +* Use Case: Threat Detection +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating SSM Session Started to EC2 Instance* + + +This rule detects the first instance of an AWS resource initiating an SSM session to an EC2 instance, which could be indicative of legitimate administrative activities or potential malicious actions like command execution or lateral movement. + + +*Possible Investigation Steps* + + +- **Examine the Session Start Event**: Review the AWS CloudTrail log for the event. + - Look for the `StartSession` action and verify details such as the `user_identity.arn`, `event.action`, and the target EC2 instance (`aws.cloudtrail.flattened.request_parameters`). +- **Verify User Identity and Role**: Check the user’s ARN and access key ID (`aws.cloudtrail.user_identity.access_key_id`). + - Cross-reference this with IAM to verify if the user had the necessary permissions and if their role typically requires initiating SSM sessions. +- **Assess Geographic and IP Context**: Analyze the source IP (`source.ip`) and geographic location (`source.geo`) from which the session was initiated. + - Determine if these are consistent with typical user locations or if they raise suspicions of compromise or misuse. +- **Review Session Details**: Examine details like the session ID and stream URL (`aws.cloudtrail.flattened.response_elements`) to understand the scope and nature of the session. + - Check if any commands executed during the session were unauthorized or out of ordinary practices. +- **Correlate with Other Security Events**: Look for other related security events around the time of the session start to identify any pattern or broader attack vector that may involve this user or EC2 instance. + + +*False Positive Analysis* + + +- **Legitimate Administrative Activities**: Confirm whether the SSM session was initiated for valid administrative purposes such as system maintenance, patching, or configuration updates. Verify with the respective teams or personnel. + + +*Response and Remediation* + + +- **Immediate Session Review**: If the session initiation seems suspicious, review all actions taken during the session. + - If possible, terminate the session to prevent any potential harm. +- **Validate and Reinforce Security Policies**: Ensure that policies around SSM session initiation are strict and adhere to the principle of least privilege. + - Update IAM policies if necessary to tighten controls. +- **Incident Response Activation**: If malicious intent or actions are confirmed, activate the incident response protocol. + - This includes containment of the threat, eradication of the adversary’s presence, recovery of affected systems, and a thorough investigation. +- **Enhance Monitoring and Alerts**: Improve monitoring of SSM sessions, particularly focusing on sessions that involve sensitive or critical EC2 instances. + - Adjust alerting mechanisms to flag unusual session initiations promptly. + + +*Additional Information* + + +For more in-depth understanding of managing SSM sessions and security best practices, refer to the https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartSession.html[AWS Systems Manager documentation]. Additionally, consider the security implications and best practices outlined in https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc[AWS SSM privilege escalation techniques]. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"aws.cloudtrail" and event.provider:"ssm.amazonaws.com" + and event.action:"StartSession" and event.outcome:"success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Cloud Services +** ID: T1021.007 +** Reference URL: https://attack.mitre.org/techniques/T1021/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc new file mode 100644 index 0000000000..5ce5952e08 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc @@ -0,0 +1,96 @@ +[[prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity-with-high-confidence]] +=== Statistical Model Detected C2 Beaconing Activity with High Confidence + +A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. + +*Rule type*: query + +*Rule indices*: + +* ml_beaconing.all + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-1h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/beaconing +* https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic + +*Tags*: + +* Domain: Network +* Use Case: C2 Beaconing Detection +* Tactic: Command and Control + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. + + +*Network Beaconing Identification Setup* + +The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs. + + +*Prerequisite Requirements:* + +- Fleet is required for Network Beaconing Identification. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Network events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] or https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. + + +*The following steps should be executed to install assets associated with the Network Beaconing Identification integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. + + +==== Rule query + + +[source, js] +---------------------------------- +beacon_stats.beaconing_score: 3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Sub-technique: +** Name: Bidirectional Communication +** ID: T1102.002 +** Reference URL: https://attack.mitre.org/techniques/T1102/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity.asciidoc new file mode 100644 index 0000000000..2dfad22fc4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity]] +=== Statistical Model Detected C2 Beaconing Activity + +A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. + +*Rule type*: query + +*Rule indices*: + +* ml_beaconing.all + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-1h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/beaconing +* https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic + +*Tags*: + +* Domain: Network +* Use Case: C2 Beaconing Detection +* Tactic: Command and Control + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. + + +*Network Beaconing Identification Setup* + +The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs. + + +*Prerequisite Requirements:* + +- Fleet is required for Network Beaconing Identification. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Network events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] or https://docs.elastic.co/integrations/network_traffic[Network Packet Capture] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To add the Network Packet Capture integration to an Elastic Agent policy, refer to https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html[this] guide. + + +*The following steps should be executed to install assets associated with the Network Beaconing Identification integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. + + +==== Rule query + + +[source, js] +---------------------------------- +beacon_stats.is_beaconing: true and +not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or "WindowsAzureGuestAgent.exe" or "HealthService.exe" or "Widgets.exe" or "lsass.exe" or "msedgewebview2.exe" or "MsMpEng.exe" or "OUTLOOK.EXE" or "msteams.exe" or "FileSyncHelper.exe" or "SearchProtocolHost.exe" or "Creative Cloud.exe" or "ms-teams.exe" or "ms-teamsupdate.exe" or "curl.exe" or "rundll32.exe" or "MsSense.exe" or "wermgr.exe" or "java" or "olk.exe" or "iexplore.exe" or "NetworkManager" or "packetbeat" or "Ssms.exe" or "NisSrv.exe" or "gamingservices.exe" or "appidcertstorecheck.exe" or "POWERPNT.EXE" or "miiserver.exe" or "Grammarly.Desktop.exe" or "SnagitEditor.exe" or "CRWindowsClientService.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Sub-technique: +** Name: Bidirectional Communication +** ID: T1102.002 +** Reference URL: https://attack.mitre.org/techniques/T1102/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-antimalware-scan-interface-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-antimalware-scan-interface-dll.asciidoc new file mode 100644 index 0000000000..b75df4df49 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-antimalware-scan-interface-dll.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-17-suspicious-antimalware-scan-interface-dll]] +=== Suspicious Antimalware Scan Interface DLL + +Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Antimalware Scan Interface DLL* + + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell. + +Attackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Identify the process that created the DLL and which account was used. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Investigate other processes launched from the directory that the DLL was created. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + + +*False positive analysis* + + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and file.path != null and + file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*", "?:\\$WINDOWS.~BT\\Work\\*\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-endpoint-security-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-endpoint-security-parent-process.asciidoc new file mode 100644 index 0000000000..f58d22752d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-endpoint-security-parent-process.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-11-17-suspicious-endpoint-security-parent-process]] +=== Suspicious Endpoint Security Parent Process + +A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("esensor.exe", "elastic-endpoint.exe") and + process.parent.executable != null and + /* add FPs here */ + not process.parent.executable : ( + "?:\\Program Files\\Elastic\\*", + "?:\\Windows\\System32\\services.exe", + "?:\\Windows\\System32\\WerFault*.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\Windows\\explorer.exe" + ) and + not ( + process.parent.executable : ( + "?:\\Windows\\System32\\cmd.exe", + "?:\\Windows\\System32\\SecurityHealthHost.exe", + "?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + ) and + process.args : ( + "test", "version", + "top", "run", + "*help", "status", + "upgrade", "/launch", + "/enable" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-creation-in-etc-for-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-creation-in-etc-for-persistence.asciidoc new file mode 100644 index 0000000000..699df5c4dc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-creation-in-etc-for-persistence.asciidoc @@ -0,0 +1,245 @@ +[[prebuilt-rule-8-11-17-suspicious-file-creation-in-etc-for-persistence]] +=== Suspicious File Creation in /etc for Persistence + +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Threat: Lightning Framework +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 114 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious File Creation in /etc for Persistence* + + +The /etc/ directory in Linux is used to store system-wide configuration files and scripts. + +By creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. + +This rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the file that was created or modified. +- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\n'/usr/lib/systemd/system/%' )\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE\n'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE\n'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9 +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c +- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and +file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", +"/usr/lib/systemd/system/*") and not ( + (process.name : ( + "chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python", "dpkg", "yum", "apt", "dnf", "rpm", + "systemd", "snapd", "dnf-automatic", "yum-cron", "elastic-agent", "dnfdaemon-system", "dockerd", "executor", + "rhn_check" + ) + ) or + (file.extension in ("swp", "swpx", "tmp")) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-creation-via-kworker.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-creation-via-kworker.asciidoc new file mode 100644 index 0000000000..92b2da135e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-creation-via-kworker.asciidoc @@ -0,0 +1,193 @@ +[[prebuilt-rule-8-11-17-suspicious-file-creation-via-kworker]] +=== Suspicious File Creation via Kworker + +This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious File Creation via Kworker* + + +Kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. + +Attackers may attempt to evade detection by masquerading as a kernel worker process. + +This rule monitors for suspicious file creation events through the kworker process. This is not common, and could indicate malicious behaviour. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the file that was created or modified through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE path = {{file.path}}\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Suspicious Kworker UID Elevation - 7dfaaa17-425c-4fe7-bd36-83705fde7c2b +- Network Activity Detected via Kworker - 25d917c4-aa3c-4111-974c-286c0312ff95 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click Add integrations. +- In the query bar, search for Elastic Defend and select the integration to see more details about it. +- Click Add Elastic Defend. +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click Save and Continue. +- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and + process.name : "kworker*" and not ( + (process.name : "kworker*kcryptd*") or + (file.path : ("/var/log/*", "/var/crash/*", "/var/run/*", "/var/lib/systemd/coredump/*", "/var/spool/*")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-renamed-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-renamed-via-smb.asciidoc new file mode 100644 index 0000000000..49bdf4d129 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-file-renamed-via-smb.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-11-17-suspicious-file-renamed-via-smb]] +=== Suspicious File Renamed via SMB + +Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events. + + +*Possible investigation steps* + + +- Investigate the source.ip address connecting to port 445 on this host. +- Identify the user account that performed the file creation via SMB. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Remote file rename over SMB. + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "windows" and + event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and + source.ip != "127.0.0.1" and source.ip != "::1"] + [file where host.os.type == "windows" and + event.action == "rename" and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and + file.extension != null and file.Ext.entropy >= 6 and + file.Ext.original.name : ("*.jpg", "*.bmp", "*.png", "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.lnk") and + not file.extension : ("jpg", "bmp", "png", "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "*.lnk")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-macos-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-macos-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..b5ba942b78 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-macos-ms-office-child-process.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-11-17-suspicious-macos-ms-office-child-process]] +=== Suspicious macOS MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "exec" and host.os.type == "macos" and + process.parent.name: ( + "Microsoft Word", + "Microsoft Outlook", + "Microsoft Excel", + "Microsoft PowerPoint", + "Microsoft OneNote" + ) and + process.name : ( + "curl", + "nscurl", + "bash", + "sh", + "osascript", + "python*", + "perl*", + "mktemp", + "chmod", + "php", + "nohup", + "openssl", + "plutil", + "PlistBuddy", + "xattr", + "mktemp", + "sqlite3", + "funzip", + "popen" + ) and + + // Filter FPs related to product version discovery and Office error reporting behavior + not process.args: + ( + "ProductVersion", + "hw.model", + "ioreg", + "ProductName", + "ProductUserVisibleVersion", + "ProductBuildVersion", + "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting", + "open -a Safari *", + "defaults read *", + "sysctl hw.model*", + "ioreg -d2 -c IOPlatformExpertDevice *", + "ps aux | grep 'ToDesk_Desktop' | grep -v grep", + "PIPE=\"$CFFIXED_USER_HOME/.zoteroIntegrationPipe*" + ) and + + not process.parent.executable : + ( + "/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service", + "/usr/local/Privacy-i/PISupervisor", + "/Library/Addigy/lan-cache", + "/Library/Elastic/Agent/*", + "/opt/jc/bin/jumpcloud-agent", + "/usr/sbin/networksetup" + ) and + not (process.name : "sh" and process.command_line : "*$CFFIXED_USER_HOME/.zoteroIntegrationPipe*") and + + not process.Ext.effective_parent.executable : ( + "/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service", + "/usr/local/Privacy-i/PISupervisor", + "/Library/Addigy/auditor", + "/Library/Elastic/Agent/*", + "/opt/jc/bin/jumpcloud-agent", + "/usr/sbin/networksetup" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc new file mode 100644 index 0000000000..28edc77700 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-11-17-suspicious-microsoft-365-mail-access-by-clientappid]] +=== Suspicious Microsoft 365 Mail Access by ClientAppId + +Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a + +*Tags*: + +* Domain: Cloud +* Data Source: Microsoft 365 +* Use Case: Configuration Audit +* Tactic: Initial Access + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Microsoft 365 Mail Access by ClientAppId* + + +- Verify the ClientAppId, source.ip and geolocation associated with Mail Access. +- Verify the total number of used ClientAppId by that specific user.id. +- Verify if the mailbox owner was on leave and just resumed working or not. +- Verify if there are other alerts associated with the same user.id. +- Verify the total number of connections from that ClientAppId, if it's accessing other mailboxes and with a high frequency there is a high chance it's a false positive. + + +*False positive analysis* + + +- Legit Microsoft or third party ClientAppId. +- User changing of ClientAppId or new connection post an extended period of leave. +- If the total number of accessed Mailboxes by ClientAppId is too high there is a high chance it's a false positive. + + +==== Setup + + + +*Setup* + + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success and +not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e366-9d6d-4c70-b22a-34c7ea72d73d" or + "a3883eba-fbe9-48bd-9ed3-dca3e0e84250" or "d3590ed6-52b3-4102-aeff-aad2292ab01c" or "27922004-5251-4030-b22d-91ecd9a37ea4" or + "1fec8e78-bce4-4aaf-ab1b-5451cc387264" or "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or "00000002-0000-0000-c000-000000000000" or + "00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000" or "ffcb16e8-f789-467c-8ce9-f826a080d987" or + "00000003-0000-0ff1-ce00-000000000000" or "00000004-0000-0ff1-ce00-000000000000" or "00000005-0000-0ff1-ce00-000000000000" or + "00000006-0000-0ff1-ce00-000000000000" or "00000007-0000-0000-c000-000000000000" or "00000007-0000-0ff1-ce00-000000000000" or + "00000009-0000-0000-c000-000000000000" or "0000000c-0000-0000-c000-000000000000" or "00000015-0000-0000-c000-000000000000" or + "0000001a-0000-0000-c000-000000000000" or "00b41c95-dab0-4487-9791-b9d2c32c80f2" or "022907d3-0f1b-48f7-badc-1ba6abab6d66" or + "04b07795-8ddb-461a-bbee-02f9e1bf7b46" or "08e18876-6177-487e-b8b5-cf950c1e598c" or "0cb7b9ec-5336-483b-bc31-b15b5788de71" or + "0cd196ee-71bf-4fd6-a57c-b491ffd4fb1e" or "0f698dd4-f011-4d23-a33e-b36416dcb1e6" or "13937bba-652e-4c46-b222-3003f4d1ff97" or + "14d82eec-204b-4c2f-b7e8-296a70dab67e" or "16aeb910-ce68-41d1-9ac3-9e1673ac9575" or "1786c5ed-9644-47b2-8aa0-7201292175b6" or + "17d5e35f-655b-4fb0-8ae6-86356e9a49f5" or "18fbca16-2224-45f6-85b0-f7bf2b39b3f3" or "1950a258-227b-4e31-a9cf-717495945fc2" or + "1b3c667f-cde3-4090-b60b-3d2abd0117f0" or "1fec8e78-bce4-4aaf-ab1b-5451cc387264" or "20a11fe0-faa8-4df5-baf2-f965f8f9972e" or + "23523755-3a2b-41ca-9315-f81f3f566a95" or "243c63a3-247d-41c5-9d83-7788c43f1c43" or "268761a2-03f3-40df-8a8b-c3db24145b6b" or + "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or "26abc9a8-24f0-4b11-8234-e86ede698878" or "27922004-5251-4030-b22d-91ecd9a37ea4" or + "28b567f6-162c-4f54-99a0-6887f387bbcc" or "29d9ed98-a469-4536-ade2-f981bc1d605e" or "2abdc806-e091-4495-9b10-b04d93c3f040" or + "2d4d3d8e-2be3-4bef-9f87-7875a61c29de" or "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8" or "3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7" or + "35d54a08-36c9-4847-9018-93934c62740c" or "37182072-3c9c-4f6a-a4b3-b3f91cacffce" or "38049638-cc2c-4cde-abe4-4479d721ed44" or + "3c896ded-22c5-450f-91f6-3d1ef0848f6e" or "4345a7b9-9a63-4910-a426-35363201d503" or "45a330b1-b1ec-4cc1-9161-9f03992aa49f" or + "47629505-c2b6-4a80-adb1-9b3a3d233b7b" or "4765445b-32c6-49b0-83e6-1d93765276ca" or "497effe9-df71-4043-a8bb-14cf78c4b63b" or + "4b233688-031c-404b-9a80-a4f3f2351f90" or "4d5c2d63-cf83-4365-853c-925fd1a64357" or "51be292c-a17e-4f17-9a7e-4b661fb16dd2" or + "5572c4c0-d078-44ce-b81c-6cbf8d3ed39e" or "5e3ce6c0-2b1f-4285-8d4b-75ee78787346" or "60c8bde5-3167-4f92-8fdb-059f6176dc0f" or + "61109738-7d2b-4a0b-9fe3-660b1ff83505" or "62256cef-54c0-4cb4-bcac-4c67989bdc40" or "6253bca8-faf2-4587-8f2f-b056d80998a7" or + "65d91a3d-ab74-42e6-8a2f-0add61688c74" or "66a88757-258c-4c72-893c-3e8bed4d6899" or "67e3df25-268a-4324-a550-0de1c7f97287" or + "69893ee3-dd10-4b1c-832d-4870354be3d8" or "74658136-14ec-4630-ad9b-26e160ff0fc6" or "74bcdadc-2fdc-4bb3-8459-76d06952a0e9" or + "797f4846-ba00-4fd7-ba43-dac1f8f63013" or "7ab7862c-4c57-491e-8a45-d52a7e023983" or "7ae974c5-1af7-4923-af3a-fb1fd14dcb7e" or + "7b7531ad-5926-4f2d-8a1d-38495ad33e17" or "80ccca67-54bd-44ab-8625-4b79c4dc7775" or "835b2a73-6e10-4aa5-a979-21dfda45231c" or + "871c010f-5e61-4fb1-83ac-98610a7e9110" or "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7" or "8edd93e1-2103-40b4-bd70-6e34e586362d" or + "905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba" or "91ca2ca5-3b3e-41dd-ab65-809fa3dffffa" or "93625bc8-bfe2-437a-97e0-3d0060024faa" or + "93d53678-613d-4013-afc1-62e9e444a0a5" or "944f0bd1-117b-4b1c-af26-804ed95e767e" or "94c63fef-13a3-47bc-8074-75af8c65887a" or + "95de633a-083e-42f5-b444-a4295d8e9314" or "97cb1f73-50df-47d1-8fb0-0271f2728514" or "98db8bd6-0cc0-4e67-9de5-f187f1cd1b41" or + "99b904fd-a1fe-455c-b86c-2f9fb1da7687" or "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7" or "a3475900-ccec-4a69-98f5-a65cd5dc5306" or + "a3b79187-70b2-4139-83f9-6016c58cd27b" or "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978" or "a970bac6-63fe-4ec5-8884-8536862c42d4" or + "a9b49b65-0a12-430b-9540-c80b3332c127" or "ab9b8c07-8f02-4f72-87fa-80105867a763" or "ae8e128e-080f-4086-b0e3-4c19301ada69" or + "b23dd4db-9142-4734-867f-3577f640ad0c" or "b4bddae8-ab25-483e-8670-df09b9f1d0ea" or "b669c6ea-1adf-453f-b8bc-6d526592b419" or + "b6e69c34-5f1f-4c34-8cdf-7fea120b8670" or "bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4" or "bdd48c81-3a58-4ea9-849c-ebea7f6b6360" or + "c1c74fed-04c9-4704-80dc-9f79a2e515cb" or "c35cb2ba-f88b-4d15-aa9d-37bd443522e1" or "c44b4083-3bb0-49c1-b47d-974e53cbdf3c" or + "c9a559d2-7aab-4f13-a6ed-e7e9c52aec87" or "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" or "cf36b471-5b44-428c-9ce7-313bf84528de" or + "cf53fce8-def6-4aeb-8d30-b158e7b1cf83" or "d176f6e7-38e5-40c9-8a78-3998aab820e7" or "d3590ed6-52b3-4102-aeff-aad2292ab01c" or + "d73f4b35-55c9-48c7-8b10-651f6f2acb2e" or "d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0" or "de8bc8b5-d9f9-48b1-a8ad-b748da725064" or + "dfe74da8-9279-44ec-8fb2-2aed9e1c73d0" or "e1ef36fd-b883-4dbf-97f0-9ece4b576fc6" or "e64aa8bc-8eb4-40e2-898b-cf261a25954f" or + "e9f49c6b-5ce5-44c8-925d-015017e9f7ad" or "ee272b19-4411-433f-8f28-5c13cb6fd407" or "f5eaa862-7f08-448c-9c4e-f4047d4d4521" or + "fb78d390-0c51-40cd-8e17-fdbfab77341b" or "fc0f3af4-6835-4174-b806-f7db311fd2f3" or "fdf9885b-dd37-42bf-82e5-c3129ef5a302") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-ms-outlook-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-ms-outlook-child-process.asciidoc new file mode 100644 index 0000000000..63f0396564 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-ms-outlook-child-process.asciidoc @@ -0,0 +1,181 @@ +[[prebuilt-rule-8-11-17-suspicious-ms-outlook-child-process]] +=== Suspicious MS Outlook Child Process + +Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 213 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious MS Outlook Child Process* + + +Microsoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite. + +This rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "outlook.exe" and + process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", + "cdb.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", + "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", + "iexpress.exe", "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", + "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", + "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", + "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", "xwizard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc new file mode 100644 index 0000000000..3efbff5837 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc @@ -0,0 +1,241 @@ +[[prebuilt-rule-8-11-17-suspicious-network-activity-to-the-internet-by-previously-unknown-executable]] +=== Suspicious Network Activity to the Internet by Previously Unknown Executable + +This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-59m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable* + + +After being installed, malware will often call out to its command and control server to receive further instructions by its operators. + +This rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible investigation steps* + + +- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} + - !{osquery{"label":"Osquery - Retrieve Process Info","query":"SELECT name, cmdline, parent, path, uid FROM processes"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + + +*Related rules* + + +- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39 + + +*False positive analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat +- Filebeat +- Packetbeat + + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + +*Filebeat Setup* + +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + + +*The following steps should be executed in order to add the Filebeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html[helper guide]. +- To run Filebeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html[helper guide]. +- To run Filebeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html[helper guide]. +- For quick start information for Filebeat refer to the https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html[helper guide]. +- For complete “Setup and Run Filebeat” information refer to the https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html[helper guide]. + + +*Packetbeat Setup* + +Packetbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction. + + +*The following steps should be executed in order to add the Packetbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html[helper guide]. +- To run Packetbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html[helper guide]. +- For quick start information for Packetbeat refer to the https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html[helper guide]. +- For complete “Setup and Run Packetbeat” information refer to the https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and +process.executable:( + (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* or + /var/log/* + ) and not (/tmp/newroot/* or /tmp/snap.rootfs*) + ) and +source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and +not process.name:( + apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or + saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform* +) and +not destination.ip:( + 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or + 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or + 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or + 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" or 0.0.0.0 +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-process-spawned-from-motd-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-process-spawned-from-motd-detected.asciidoc new file mode 100644 index 0000000000..fd0c5e6d4e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-process-spawned-from-motd-detected.asciidoc @@ -0,0 +1,201 @@ +[[prebuilt-rule-8-11-17-suspicious-process-spawned-from-motd-detected]] +=== Suspicious Process Spawned from MOTD Detected + +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Process Spawned from MOTD Detected* + + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable. + +This rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the file that was created or modified from which the suspicious process was executed. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE\n'/usr/lib/update-notifier/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services, and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + + +*Related Rules* + + +- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore them to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and host.os.type == "linux" and event.action : ("exec", "exec_event") and + process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( + (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*"))) or + (process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and + not process.args : ("-*z*", "-*l*")) or + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name in ("openssl", "telnet")) +) and +not ( + (process.parent.args : "--force") or + (process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) or + (process.parent.name == "system-crash-notification") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-screenconnect-client-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-screenconnect-client-child-process.asciidoc new file mode 100644 index 0000000000..90890e600b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-screenconnect-client-child-process.asciidoc @@ -0,0 +1,88 @@ +[[prebuilt-rule-8-11-17-suspicious-screenconnect-client-child-process]] +=== Suspicious ScreenConnect Client Child Process + +Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* winlogbeat-* +* logs-windows.sysmon_operational-* +* logs-system.security* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : + ("ScreenConnect.ClientService.exe", + "ScreenConnect.WindowsClient.exe", + "ScreenConnect.WindowsBackstageShell.exe", + "ScreenConnect.WindowsFileManager.exe") and + ( + (process.name : "powershell.exe" and + process.args : ("-enc", "-ec", "-e", "*downloadstring*", "*Reflection.Assembly*", "*http*")) or + (process.name : "cmd.exe" and process.args : "/c") or + (process.name : "net.exe" and process.args : "/add") or + (process.name : "schtasks.exe" and process.args : ("/create", "-create")) or + (process.name : "sc.exe" and process.args : "create") or + (process.name : "rundll32.exe" and not process.args : "url.dll,FileProtocolHandler") or + (process.name : "msiexec.exe" and process.args : ("/i", "-i") and + process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or + process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe", + "ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Remote Access Software +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-service-was-installed-in-the-system.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-service-was-installed-in-the-system.asciidoc new file mode 100644 index 0000000000..0c6aab4149 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-service-was-installed-in-the-system.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-11-17-suspicious-service-was-installed-in-the-system]] +=== Suspicious Service was Installed in the System + +Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Service was Installed in the System* + + +Attackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads. + +This rule looks for suspicious services being created with suspicious traits compatible with the above behavior. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045). + - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} + - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + + + +*False positive analysis* + + +- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +any where + (event.code : "4697" and + (winlog.event_data.ServiceFileName : + ("*COMSPEC*", "*\\127.0.0.1*", "*Admin$*", "*powershell*", "*rundll32*", "*cmd.exe*", "*PSEXESVC*", + "*echo*", "*RemComSvc*", "*.bat*", "*.cmd*", "*certutil*", "*vssadmin*", "*certmgr*", "*bitsadmin*", + "*\\Users\\*", "*\\Windows\\Temp\\*", "*\\Windows\\Tasks\\*", "*\\PerfLogs\\*", "*\\Windows\\Debug\\*", + "*regsvr32*", "*msbuild*") or + winlog.event_data.ServiceFileName regex~ """%systemroot%\\[a-z0-9]+\.exe""")) or + + (event.code : "7045" and + winlog.event_data.ImagePath : ( + "*COMSPEC*", "*\\127.0.0.1*", "*Admin$*", "*powershell*", "*rundll32*", "*cmd.exe*", "*PSEXESVC*", + "*echo*", "*RemComSvc*", "*.bat*", "*.cmd*", "*certutil*", "*vssadmin*", "*certmgr*", "*bitsadmin*", + "*\\Users\\*", "*\\Windows\\Temp\\*", "*\\Windows\\Tasks\\*", "*\\PerfLogs\\*", "*\\Windows\\Debug\\*", + "*regsvr32*", "*msbuild*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-web-browser-sensitive-file-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-web-browser-sensitive-file-access.asciidoc new file mode 100644 index 0000000000..50b286caf7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-web-browser-sensitive-file-access.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-11-17-suspicious-web-browser-sensitive-file-access]] +=== Suspicious Web Browser Sensitive File Access + +Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action == "open" and host.os.type == "macos" and process.executable != null and + file.name : ("cookies.sqlite", + "key?.db", + "logins.json", + "Cookies", + "Cookies.binarycookies", + "Login Data") and + ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : "osascript") and + not process.code_signature.signing_id : "org.mozilla.firefox" and + not process.Ext.effective_parent.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-werfault-child-process.asciidoc new file mode 100644 index 0000000000..bad912bf9e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-werfault-child-process.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-11-17-suspicious-werfault-child-process]] +=== Suspicious WerFault Child Process + +A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ +* https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +* http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 214 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + + process.parent.name : "WerFault.exe" and + + /* args -s and -t used to execute a process via SilentProcessExit mechanism */ + (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and + + not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-which-enumeration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-which-enumeration.asciidoc new file mode 100644 index 0000000000..03029c4cc2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-which-enumeration.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-17-suspicious-which-enumeration]] +=== Suspicious which Enumeration + +This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and +not process.args == "--tty-only" + +/* potential tuning if rule would turn out to be noisy +and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and +process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +*/ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc new file mode 100644 index 0000000000..2daf3a7af7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-host]] +=== Suspicious Windows Process Cluster Spawned by a Host + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. + + +*LotL Attack Detection Setup* + +The LotL Attack Detection integration detects living-off-the-land activity in Windows process events. + + +*Prerequisite Requirements:* + +- Fleet is required for LotL Attack Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html). +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To set up and run Winlogbeat, follow https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html[this] guide. + + +*The following steps should be executed to install assets associated with the LotL Attack Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc new file mode 100644 index 0000000000..6772420f46 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-parent-process]] +=== Suspicious Windows Process Cluster Spawned by a Parent Process + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. + + +*LotL Attack Detection Setup* + +The LotL Attack Detection integration detects living-off-the-land activity in Windows process events. + + +*Prerequisite Requirements:* + +- Fleet is required for LotL Attack Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html). +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To set up and run Winlogbeat, follow https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html[this] guide. + + +*The following steps should be executed to install assets associated with the LotL Attack Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc new file mode 100644 index 0000000000..5cff38a1c5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-user]] +=== Suspicious Windows Process Cluster Spawned by a User + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. + + +*LotL Attack Detection Setup* + +The LotL Attack Detection integration detects living-off-the-land activity in Windows process events. + + +*Prerequisite Requirements:* + +- Fleet is required for LotL Attack Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html). +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To set up and run Winlogbeat, follow https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html[this] guide. + + +*The following steps should be executed to install assets associated with the LotL Attack Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-zoom-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-zoom-child-process.asciidoc new file mode 100644 index 0000000000..7dee6e8757 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-suspicious-zoom-child-process.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-11-17-suspicious-zoom-child-process]] +=== Suspicious Zoom Child Process + +A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Zoom Child Process* + + +By examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation. + +This rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the command line of the child process to determine which commands or scripts were executed. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc new file mode 100644 index 0000000000..d7ff81ad49 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-17-system-binary-copied-and-or-moved-to-suspicious-directory]] +=== System Binary Copied and/or Moved to Suspicious Directory + +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.name in ("cp", "mv") and process.args : ( + // Shells + "/bin/*sh", "/usr/bin/*sh", + + // Interpreters + "/bin/python*", "/usr/bin/python*", "/bin/php*", "/usr/bin/php*", "/bin/ruby*", "/usr/bin/ruby*", "/bin/perl*", + "/usr/bin/perl*", "/bin/lua*", "/usr/bin/lua*", "/bin/java*", "/usr/bin/java*", + + // Compilers + "/bin/gcc*", "/usr/bin/gcc*", "/bin/g++*", "/usr/bin/g++*", "/bin/cc", "/usr/bin/cc", + + // Suspicious utilities + "/bin/nc", "/usr/bin/nc", "/bin/ncat", "/usr/bin/ncat", "/bin/netcat", "/usr/bin/netcat", "/bin/nc.openbsd", + "/usr/bin/nc.openbsd", "/bin/*awk", "/usr/bin/*awk", "/bin/socat", "/usr/bin/socat", "/bin/openssl", + "/usr/bin/openssl", "/bin/telnet", "/usr/bin/telnet", "/bin/mkfifo", "/usr/bin/mkfifo", "/bin/mknod", + "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", + + // System utilities + "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", + "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", + "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" + ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] + [file where host.os.type == "linux" and event.action == "creation" and file.path : ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" + ) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-system-shells-via-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-system-shells-via-services.asciidoc new file mode 100644 index 0000000000..a3f473236e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-system-shells-via-services.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-17-system-shells-via-services]] +=== System Shells via Services + +Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating System Shells via Services* + + +Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads. + +This rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045). + - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check for commands executed under the spawned shell. + + +*False positive analysis* + + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "services.exe" and + process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and + + /* Third party FP's */ + not process.args : "NVDisplay.ContainerLocalSystem" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-systemd-service-started-by-unusual-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-systemd-service-started-by-unusual-parent-process.asciidoc new file mode 100644 index 0000000000..81056c82ef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-systemd-service-started-by-unusual-parent-process.asciidoc @@ -0,0 +1,217 @@ +[[prebuilt-rule-8-11-17-systemd-service-started-by-unusual-parent-process]] +=== Systemd Service Started by Unusual Parent Process + +Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Systemd Service Started by Unusual Parent Process* + + +Systemd service files are configuration files in Linux systems used to define and manage systemd services. + +Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +This rule monitors the execution of the systemctl binary to start, enable or reenable a systemd service, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible Investigation Steps* + + +- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`. +- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/user/.config/systemd/user/%'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} +- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001 +- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f +- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b +- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:process and event.type:start and event.action:exec and +process.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and +process.entry_leader.entry_meta.type:* and +not ( + process.entry_leader.entry_meta.type:(container or init or unknown) or + process.parent.pid:1 or + process.parent.executable:( + /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or + /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or + /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or + /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or + /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/* + ) or + process.args_count >= 5 +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-third-party-backup-files-deleted-via-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-third-party-backup-files-deleted-via-unexpected-process.asciidoc new file mode 100644 index 0000000000..65a3a81ecb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-third-party-backup-files-deleted-via-unexpected-process.asciidoc @@ -0,0 +1,164 @@ +[[prebuilt-rule-8-11-17-third-party-backup-files-deleted-via-unexpected-process]] +=== Third-party Backup Files Deleted via Unexpected Process + +Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file-* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 113 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Third-party Backup Files Deleted via Unexpected Process* + + +Backups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target. + +Attackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom. + +This rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if any files on the host machine have been encrypted. + + +*False positive analysis* + + +- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together. + + +*Related rules* + + +- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "deletion" and + ( + /* Veeam Related Backup Files */ + ( + file.extension : ("VBK", "VIB", "VBM") and + not ( + process.executable : ("?:\\Windows\\*", "?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and + (process.code_signature.trusted == true and process.code_signature.subject_name : ("Veeam Software Group GmbH", "Veeam Software AG")) + ) + ) or + /* Veritas Backup Exec Related Backup File */ + ( + file.extension : "BKF" and + not process.executable : ( + "?:\\Program Files\\Veritas\\Backup Exec\\*", + "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*" + ) + ) + ) and + not ( + process.name : ("MSExchangeMailboxAssistants.exe", "Microsoft.PowerBI.EnterpriseGateway.exe") and + (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + ) and + not file.path : ( + "?:\\ProgramData\\Trend Micro\\*", + "?:\\Program Files (x86)\\Trend Micro\\*", + "?:\\$RECYCLE.BIN\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc new file mode 100644 index 0000000000..8fc2b72133 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc @@ -0,0 +1,174 @@ +[[prebuilt-rule-8-11-17-uac-bypass-attempt-via-windows-directory-masquerading]] +=== UAC Bypass Attempt via Windows Directory Masquerading + +Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 113 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating UAC Bypass Attempt via Windows Directory Masquerading* + + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works[official Microsoft docs page]. + +This rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze any suspicious spawned processes using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc new file mode 100644 index 0000000000..8146a619f6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc @@ -0,0 +1,177 @@ +[[prebuilt-rule-8-11-17-uac-bypass-via-windows-firewall-snap-in-hijack]] +=== UAC Bypass via Windows Firewall Snap-In Hijack + +Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AzAgarampur/byeintegrity-uac + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating UAC Bypass via Windows Firewall Snap-In Hijack* + + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works[official Microsoft docs page]. + +This rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze any suspicious spawned processes using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name == "mmc.exe" and + /* process.Ext.token.integrity_level_name == "high" can be added in future for tuning */ + /* args of the Windows Firewall SnapIn */ + process.parent.args == "WF.msc" and process.name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: MMC +** ID: T1218.014 +** Reference URL: https://attack.mitre.org/techniques/T1218/014/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uncommon-registry-persistence-change.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uncommon-registry-persistence-change.asciidoc new file mode 100644 index 0000000000..ecfb42db5d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-uncommon-registry-persistence-change.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-11-17-uncommon-registry-persistence-change]] +=== Uncommon Registry Persistence Change + +Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.registry-* +* logs-windows.sysmon_operational-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + length(registry.data.strings) > 0 and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\\*", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\IconServiceLib", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AppSetup", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Taskman", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\VmApplet", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", + "HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\*\\ShellComponent", + "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect\\MicrosoftActiveSync", + "HKLM\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect\\MicrosoftActiveSync", + "HKLM\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", + "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", + "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", + "HKLM\\SOFTWARE\\Microsoft\\Command Processor\\Autorun", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun", + "HKEY_USERS\\*\\Control Panel\\Desktop\\scrnsave.exe", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\VerifierDlls", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GpExtensions\\*\\DllName", + "HKLM\\SYSTEM\\ControlSet*\\Control\\SafeBoot\\AlternateShell", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\Wds\\rdpwd\\StartupPrograms", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\BootExecute", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\SetupExecute", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\Execute", + "HKLM\\SYSTEM\\ControlSet*\\Control\\Session Manager\\S0InitialCommand", + "HKLM\\SYSTEM\\ControlSet*\\Control\\ServiceControlManagerExtension", + "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath", + "HKLM\\SYSTEM\\Setup\\CmdLine", + "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and + + not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe", + "C:\\Program Files\\*.exe") and + not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", + "C:\\Windows\\SysWOW64\\msiexec.exe", + "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "C:\\Program Files\\*.exe", + "C:\\Program Files (x86)\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Screensaver +** ID: T1546.002 +** Reference URL: https://attack.mitre.org/techniques/T1546/002/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-untrusted-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-untrusted-driver-loaded.asciidoc new file mode 100644 index 0000000000..986ad87737 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-untrusted-driver-loaded.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-17-untrusted-driver-loaded]] +=== Untrusted Driver Loaded + +Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.library-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/TDL +* https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Untrusted Driver Loaded* + + +Microsoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. + +This protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security. + +This rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context: + - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field. + - Examine the file creation and modification timestamps: + - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds. + - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation. + - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. + - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Use Osquery to investigate the drivers loaded into the system. + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} +- Identify the driver's `Device Name` and `Service Name`. +- Check for alerts from the rules specified in the `Related Rules` section. + + +*False positive analysis* + + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + + +*Related Rules* + + +- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9 +- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd +- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.) +- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed. + - This can be done via PowerShell `Remove-Service` cmdlet. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Ensure that the Driver Signature Enforcement is enabled on the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +driver where host.os.type == "windows" and process.pid == 4 and + dll.code_signature.trusted != true and + not dll.code_signature.status : ("errorExpired", "errorRevoked", "errorCode_endpoint:*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-network-activity-from-a-windows-system-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-network-activity-from-a-windows-system-binary.asciidoc new file mode 100644 index 0000000000..21b919e7c8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-network-activity-from-a-windows-system-binary.asciidoc @@ -0,0 +1,204 @@ +[[prebuilt-rule-8-11-17-unusual-network-activity-from-a-windows-system-binary]] +=== Unusual Network Activity from a Windows System Binary + +Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process-* +* logs-endpoint.events.network-* +* winlogbeat-* +* logs-windows.sysmon_operational-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Unusual Network Activity from a Windows System Binary* + + +Attackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution. + +This rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.type == "start" and + + /* known applocker bypasses */ + (process.name : "bginfo.exe" or + process.name : "cdb.exe" or + process.name : "control.exe" or + process.name : "cmstp.exe" or + process.name : "csi.exe" or + process.name : "dnx.exe" or + process.name : "fsi.exe" or + process.name : "ieexec.exe" or + process.name : "iexpress.exe" or + process.name : "installutil.exe" or + process.name : "Microsoft.Workflow.Compiler.exe" or + process.name : "MSBuild.exe" or + process.name : "msdt.exe" or + process.name : "mshta.exe" or + process.name : "msiexec.exe" or + process.name : "msxsl.exe" or + process.name : "odbcconf.exe" or + process.name : "rcsi.exe" or + process.name : "regsvr32.exe" or + process.name : "xwizard.exe")] + [network where + (process.name : "bginfo.exe" or + process.name : "cdb.exe" or + process.name : "control.exe" or + process.name : "cmstp.exe" or + process.name : "csi.exe" or + process.name : "dnx.exe" or + process.name : "fsi.exe" or + process.name : "ieexec.exe" or + process.name : "iexpress.exe" or + process.name : "installutil.exe" or + process.name : "Microsoft.Workflow.Compiler.exe" or + ( + process.name : "msbuild.exe" and + destination.ip != "127.0.0.1" + ) or + process.name : "msdt.exe" or + process.name : "mshta.exe" or + ( + process.name : "msiexec.exe" and not + dns.question.name : ( + "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com", + "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local" + ) and + /* Localhost, DigiCert and Comodo CA IP addresses */ + not cidrmatch(destination.ip, "127.0.0.1", "192.229.211.108/32", "192.229.221.95/32", + "152.195.38.76/32", "104.18.14.101/32") + ) or + process.name : "msxsl.exe" or + process.name : "odbcconf.exe" or + process.name : "rcsi.exe" or + process.name : "regsvr32.exe" or + process.name : "xwizard.exe")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-parent-process-for-cmd-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-parent-process-for-cmd-exe.asciidoc new file mode 100644 index 0000000000..eab3a14e6d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-parent-process-for-cmd-exe.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-11-17-unusual-parent-process-for-cmd-exe]] +=== Unusual Parent Process for cmd.exe + +Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon +* Data Source: SentinelOne + +*Version*: 212 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "cmd.exe" and + process.parent.name : ("lsass.exe", + "csrss.exe", + "epad.exe", + "regsvr32.exe", + "dllhost.exe", + "LogonUI.exe", + "wermgr.exe", + "spoolsv.exe", + "jucheck.exe", + "jusched.exe", + "ctfmon.exe", + "taskhostw.exe", + "GoogleUpdate.exe", + "sppsvc.exe", + "sihost.exe", + "slui.exe", + "SIHClient.exe", + "SearchIndexer.exe", + "SearchProtocolHost.exe", + "FlashPlayerUpdateService.exe", + "WerFault.exe", + "WUDFHost.exe", + "unsecapp.exe", + "wlanext.exe" ) and + not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-for-a-windows-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-for-a-windows-host.asciidoc new file mode 100644 index 0000000000..dfb7c0cc61 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-for-a-windows-host.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-11-17-unusual-process-for-a-windows-host]] +=== Unusual Process For a Windows Host + +Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Persistence +* Resources: Investigation Guide + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Unusual Process For a Windows Host* + + +Searching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors. + +This rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. + - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host? +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process. +- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Retrieve Service Unisgned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False Positive Analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Related Rules* + + +- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76 +- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5 +- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-host.asciidoc new file mode 100644 index 0000000000..a819a6655b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-host.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-17-unusual-process-spawned-by-a-host]] +=== Unusual Process Spawned by a Host + +A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. + + +*LotL Attack Detection Setup* + +The LotL Attack Detection integration detects living-off-the-land activity in Windows process events. + + +*Prerequisite Requirements:* + +- Fleet is required for LotL Attack Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html). +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To set up and run Winlogbeat, follow https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html[this] guide. + + +*The following steps should be executed to install assets associated with the LotL Attack Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-parent-process.asciidoc new file mode 100644 index 0000000000..214e55d801 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-parent-process.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-17-unusual-process-spawned-by-a-parent-process]] +=== Unusual Process Spawned by a Parent Process + +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. + + +*LotL Attack Detection Setup* + +The LotL Attack Detection integration detects living-off-the-land activity in Windows process events. + + +*Prerequisite Requirements:* + +- Fleet is required for LotL Attack Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html). +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To set up and run Winlogbeat, follow https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html[this] guide. + + +*The following steps should be executed to install assets associated with the LotL Attack Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-user.asciidoc new file mode 100644 index 0000000000..9d1ef1e31e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-spawned-by-a-user.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-17-unusual-process-spawned-by-a-user]] +=== Unusual Process Spawned by a User + +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. + + +*LotL Attack Detection Setup* + +The LotL Attack Detection integration detects living-off-the-land activity in Windows process events. + + +*Prerequisite Requirements:* + +- Fleet is required for LotL Attack Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html). +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. +- To set up and run Winlogbeat, follow https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html[this] guide. + + +*The following steps should be executed to install assets associated with the LotL Attack Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-writing-data-to-an-external-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-writing-data-to-an-external-device.asciidoc new file mode 100644 index 0000000000..f96ebc857b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-process-writing-data-to-an-external-device.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-17-unusual-process-writing-data-to-an-external-device]] +=== Unusual Process Writing Data to an External Device + +A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded +* https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). + + +*Data Exfiltration Detection Setup* + +The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Data Exfiltration Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- File events collected by the Elastic Defend integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-directory.asciidoc new file mode 100644 index 0000000000..4cbeb212a8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-directory.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-unusual-remote-file-directory]] +=== Unusual Remote File Directory + +An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-90m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- File events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-extension.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-extension.asciidoc new file mode 100644 index 0000000000..96f82e54e7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-extension.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-unusual-remote-file-extension]] +=== Unusual Remote File Extension + +An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-90m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- File events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-size.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-size.asciidoc new file mode 100644 index 0000000000..5a7245818c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-remote-file-size.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-unusual-remote-file-size]] +=== Unusual Remote File Size + +A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-90m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- File events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-time-or-day-for-an-rdp-session.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-time-or-day-for-an-rdp-session.asciidoc new file mode 100644 index 0000000000..b43b354f2a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-unusual-time-or-day-for-an-rdp-session.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-17-unusual-time-or-day-for-an-rdp-session]] +=== Unusual Time or Day for an RDP Session + +A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd +* https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration +* https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. + + +*Lateral Movement Detection Setup* + +The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature. + + +*Prerequisite Requirements:* + +- Fleet is required for Lateral Movement Detection. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. +- Windows RDP process events collected by the https://docs.elastic.co/en/integrations/endpoint[Elastic Defend] integration. +- To install Elastic Defend, refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[documentation]. + + +*The following steps should be executed to install assets associated with the Lateral Movement Detection integration:* + +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. + + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-web-shell-detection-script-process-child-of-common-web-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-web-shell-detection-script-process-child-of-common-web-processes.asciidoc new file mode 100644 index 0000000000..8c23cc0a8e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-web-shell-detection-script-process-child-of-common-web-processes.asciidoc @@ -0,0 +1,192 @@ +[[prebuilt-rule-8-11-17-web-shell-detection-script-process-child-of-common-web-processes]] +=== Web Shell Detection: Script Process Child of Common Web Processes + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* +* logs-sentinel_one_cloud_funnel.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ +* https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965 +* https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Initial Access +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: SentinelOne + +*Version*: 213 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Web Shell Detection: Script Process Child of Common Web Processes* + + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server. + +This rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell. + + +*Possible investigation steps* + + +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes. +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") and + not + ( + process.parent.name : ("php.exe", "httpd.exe") and process.name : "cmd.exe" and + process.command_line : ( + "cmd.exe /c mode CON", + "cmd.exe /s /c \"mode CON\"", + "cmd.exe /c \"mode\"", + "cmd.exe /s /c \"tput colors 2>&1\"" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-defender-disabled-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-defender-disabled-via-registry-modification.asciidoc new file mode 100644 index 0000000000..0360d4b592 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-defender-disabled-via-registry-modification.asciidoc @@ -0,0 +1,170 @@ +[[prebuilt-rule-8-11-17-windows-defender-disabled-via-registry-modification]] +=== Windows Defender Disabled via Registry Modification + +Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.registry-* +* endgame-* +* logs-windows.sysmon_operational-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2020/12/13/defender-control/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Windows Defender Disabled via Registry Modification* + + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the registry for configurations that disable Windows Defender or the start of its service. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if this operation was approved and performed according to the organization's change management policy. + + +*False positive analysis* + + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed. + + +*Related rules* + + +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Re-enable Windows Defender and restore the service configurations to automatic start. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + ( + ( + registry.path: ( + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" + ) and + registry.data.strings: ("1", "0x00000001") + ) or + ( + registry.path: ( + "HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start", + "\\REGISTRY\\MACHINE\\System\\*ControlSet*\\Services\\WinDefend\\Start" + ) and + registry.data.strings in ("3", "4", "0x00000003", "0x00000004") + ) + ) and + + not + ( + process.executable : ( + "?:\\WINDOWS\\system32\\services.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe" + ) and user.id : "S-1-5-18" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-script-interpreter-executing-process-via-wmi.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-script-interpreter-executing-process-via-wmi.asciidoc new file mode 100644 index 0000000000..f15fc6c2da --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-script-interpreter-executing-process-via-wmi.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-11-17-windows-script-interpreter-executing-process-via-wmi]] +=== Windows Script Interpreter Executing Process via WMI + +Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-endpoint.events.library-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 5s + [any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + (?dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")] + [process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "wmiprvse.exe" and + user.domain != "NT AUTHORITY" and + (process.pe.original_file_name : + ( + "cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "Cmd.Exe", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "MSBuild.exe", + "InstallUtil.exe", + "RegAsm.exe", + "RegSvcs.exe", + "msxsl.exe", + "CONTROL.EXE", + "EXPLORER.EXE", + "Microsoft.Workflow.Compiler.exe", + "msiexec.exe" + ) or + process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") + ) + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-service-installed-via-an-unusual-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-service-installed-via-an-unusual-client.asciidoc new file mode 100644 index 0000000000..7bd9ae4de7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rule-8-11-17-windows-service-installed-via-an-unusual-client.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-11-17-windows-service-installed-via-an-unusual-client]] +=== Windows Service Installed via an Unusual Client + +Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.x86matthew.com/view_post?id=create_svc_rpc +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'Audit Security System Extension' logging policy must be configured for (Success) +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +System > +Audit Security System Extension (Success) +``` + + +==== Rule query + + +[source, js] +---------------------------------- +configuration where host.os.type == "windows" and + event.action == "service-installed" and + (winlog.event_data.ClientProcessId == "0" or winlog.event_data.ParentProcessId == "0") and + not winlog.event_data.ServiceFileName : ( + "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", + "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", + "%SystemRoot%\\system32\\Drivers\\Crowdstrike\\*-CsInstallerService.exe", + "\"%windir%\\AdminArsenal\\PDQInventory-Scanner\\service-1\\PDQInventory-Scanner-1.exe\" " + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rules-8-11-17-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rules-8-11-17-appendix.asciidoc new file mode 100644 index 0000000000..5aa5ab6a9b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rules-8-11-17-appendix.asciidoc @@ -0,0 +1,133 @@ +["appendix",role="exclude",id="prebuilt-rule-8-11-17-prebuilt-rules-8-11-17-appendix"] += Downloadable rule update v8.11.17 + +This section lists all updates associated with version 8.11.17 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-11-17-aws-s3-bucket-expiration-lifecycle-configuration-added.asciidoc[] +include::prebuilt-rule-8-11-17-insecure-aws-ec2-vpc-security-group-ingress-rule-added.asciidoc[] +include::prebuilt-rule-8-11-17-ssm-session-started-to-ec2-instance.asciidoc[] +include::prebuilt-rule-8-11-17-systemd-service-started-by-unusual-parent-process.asciidoc[] +include::prebuilt-rule-8-11-17-ssh-authorized-keys-file-modification.asciidoc[] +include::prebuilt-rule-8-11-17-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc[] +include::prebuilt-rule-8-11-17-first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc[] +include::prebuilt-rule-8-11-17-route53-resolver-query-log-configuration-deleted.asciidoc[] +include::prebuilt-rule-8-11-17-ec2-ami-shared-with-another-account.asciidoc[] +include::prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity.asciidoc[] +include::prebuilt-rule-8-11-17-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc[] +include::prebuilt-rule-8-11-17-ssh-authorized-keys-file-modified-inside-a-container.asciidoc[] +include::prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc[] +include::prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc[] +include::prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc[] +include::prebuilt-rule-8-11-17-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc[] +include::prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device.asciidoc[] +include::prebuilt-rule-8-11-17-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-process-writing-data-to-an-external-device.asciidoc[] +include::prebuilt-rule-8-11-17-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc[] +include::prebuilt-rule-8-11-17-potential-dga-activity.asciidoc[] +include::prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc[] +include::prebuilt-rule-8-11-17-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc[] +include::prebuilt-rule-8-11-17-github-protected-branch-settings-changed.asciidoc[] +include::prebuilt-rule-8-11-17-high-mean-of-process-arguments-in-an-rdp-session.asciidoc[] +include::prebuilt-rule-8-11-17-high-mean-of-rdp-session-duration.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-remote-file-size.asciidoc[] +include::prebuilt-rule-8-11-17-high-variance-in-rdp-session-duration.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-remote-file-directory.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-remote-file-extension.asciidoc[] +include::prebuilt-rule-8-11-17-spike-in-number-of-connections-made-from-a-source-ip.asciidoc[] +include::prebuilt-rule-8-11-17-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc[] +include::prebuilt-rule-8-11-17-spike-in-number-of-processes-in-an-rdp-session.asciidoc[] +include::prebuilt-rule-8-11-17-spike-in-remote-file-transfers.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-time-or-day-for-an-rdp-session.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-process-spawned-by-a-host.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-process-spawned-by-a-parent-process.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-process-spawned-by-a-user.asciidoc[] +include::prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc[] +include::prebuilt-rule-8-11-17-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc[] +include::prebuilt-rule-8-11-17-network-activity-detected-via-kworker.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc[] +include::prebuilt-rule-8-11-17-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc[] +include::prebuilt-rule-8-11-17-attempt-to-clear-kernel-ring-buffer.asciidoc[] +include::prebuilt-rule-8-11-17-executable-masquerading-as-kernel-process.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-which-enumeration.asciidoc[] +include::prebuilt-rule-8-11-17-potential-reverse-shell-via-child.asciidoc[] +include::prebuilt-rule-8-11-17-potential-reverse-shell.asciidoc[] +include::prebuilt-rule-8-11-17-chkconfig-service-add.asciidoc[] +include::prebuilt-rule-8-11-17-cron-job-created-or-changed-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-17-dynamic-linker-copy.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-file-creation-in-etc-for-persistence.asciidoc[] +include::prebuilt-rule-8-11-17-potential-persistence-through-init-d-detected.asciidoc[] +include::prebuilt-rule-8-11-17-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-file-creation-via-kworker.asciidoc[] +include::prebuilt-rule-8-11-17-potential-linux-backdoor-user-account-creation.asciidoc[] +include::prebuilt-rule-8-11-17-potential-persistence-through-motd-file-creation-detected.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-process-spawned-from-motd-detected.asciidoc[] +include::prebuilt-rule-8-11-17-potential-persistence-through-run-control-detected.asciidoc[] +include::prebuilt-rule-8-11-17-shared-object-created-or-changed-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-17-potential-suspicious-file-edit.asciidoc[] +include::prebuilt-rule-8-11-17-new-systemd-timer-created.asciidoc[] +include::prebuilt-rule-8-11-17-new-systemd-service-created-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-17-potential-buffer-overflow-attack-detected.asciidoc[] +include::prebuilt-rule-8-11-17-prompt-for-credentials-with-osascript.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-web-browser-sensitive-file-access.asciidoc[] +include::prebuilt-rule-8-11-17-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-macos-ms-office-child-process.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-process-for-a-windows-host.asciidoc[] +include::prebuilt-rule-8-11-17-potential-network-sweep-detected.asciidoc[] +include::prebuilt-rule-8-11-17-exporting-exchange-mailbox-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-17-encrypting-files-with-winrar-or-7z.asciidoc[] +include::prebuilt-rule-8-11-17-port-forwarding-rule-addition.asciidoc[] +include::prebuilt-rule-8-11-17-potential-remote-desktop-tunneling-detected.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-screenconnect-client-child-process.asciidoc[] +include::prebuilt-rule-8-11-17-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc[] +include::prebuilt-rule-8-11-17-kirbi-file-creation.asciidoc[] +include::prebuilt-rule-8-11-17-mimikatz-memssp-log-file-detected.asciidoc[] +include::prebuilt-rule-8-11-17-adding-hidden-file-attribute-via-attrib.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-antimalware-scan-interface-dll.asciidoc[] +include::prebuilt-rule-8-11-17-modification-of-amsienable-registry-key.asciidoc[] +include::prebuilt-rule-8-11-17-code-signing-policy-modification-through-built-in-tools.asciidoc[] +include::prebuilt-rule-8-11-17-code-signing-policy-modification-through-registry.asciidoc[] +include::prebuilt-rule-8-11-17-windows-defender-disabled-via-registry-modification.asciidoc[] +include::prebuilt-rule-8-11-17-powershell-script-block-logging-disabled.asciidoc[] +include::prebuilt-rule-8-11-17-dns-over-https-enabled-via-registry.asciidoc[] +include::prebuilt-rule-8-11-17-encoded-executable-stored-in-the-registry.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-endpoint-security-parent-process.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-werfault-child-process.asciidoc[] +include::prebuilt-rule-8-11-17-microsoft-windows-defender-tampering.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-network-activity-from-a-windows-system-binary.asciidoc[] +include::prebuilt-rule-8-11-17-local-account-tokenfilter-policy-disabled.asciidoc[] +include::prebuilt-rule-8-11-17-solarwinds-process-disabling-services-via-registry.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-zoom-child-process.asciidoc[] +include::prebuilt-rule-8-11-17-untrusted-driver-loaded.asciidoc[] +include::prebuilt-rule-8-11-17-adfind-command-activity.asciidoc[] +include::prebuilt-rule-8-11-17-enumerating-domain-trusts-via-dsquery-exe.asciidoc[] +include::prebuilt-rule-8-11-17-enumerating-domain-trusts-via-nltest-exe.asciidoc[] +include::prebuilt-rule-8-11-17-unusual-parent-process-for-cmd-exe.asciidoc[] +include::prebuilt-rule-8-11-17-delayed-execution-via-ping.asciidoc[] +include::prebuilt-rule-8-11-17-enumeration-command-spawned-via-wmiprvse.asciidoc[] +include::prebuilt-rule-8-11-17-third-party-backup-files-deleted-via-unexpected-process.asciidoc[] +include::prebuilt-rule-8-11-17-deleting-backup-catalogs-with-wbadmin.asciidoc[] +include::prebuilt-rule-8-11-17-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-file-renamed-via-smb.asciidoc[] +include::prebuilt-rule-8-11-17-potential-ransomware-note-file-dropped-via-smb.asciidoc[] +include::prebuilt-rule-8-11-17-windows-script-interpreter-executing-process-via-wmi.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-ms-outlook-child-process.asciidoc[] +include::prebuilt-rule-8-11-17-adobe-hijack-persistence.asciidoc[] +include::prebuilt-rule-8-11-17-registry-persistence-via-appcert-dll.asciidoc[] +include::prebuilt-rule-8-11-17-persistence-via-scheduled-job-creation.asciidoc[] +include::prebuilt-rule-8-11-17-uncommon-registry-persistence-change.asciidoc[] +include::prebuilt-rule-8-11-17-account-password-reset-remotely.asciidoc[] +include::prebuilt-rule-8-11-17-suspicious-service-was-installed-in-the-system.asciidoc[] +include::prebuilt-rule-8-11-17-system-shells-via-services.asciidoc[] +include::prebuilt-rule-8-11-17-persistence-via-bits-job-notify-cmdline.asciidoc[] +include::prebuilt-rule-8-11-17-web-shell-detection-script-process-child-of-common-web-processes.asciidoc[] +include::prebuilt-rule-8-11-17-disabling-user-account-control-via-registry-modification.asciidoc[] +include::prebuilt-rule-8-11-17-first-time-seen-driver-loaded.asciidoc[] +include::prebuilt-rule-8-11-17-service-control-spawned-via-script-interpreter.asciidoc[] +include::prebuilt-rule-8-11-17-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc[] +include::prebuilt-rule-8-11-17-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc[] +include::prebuilt-rule-8-11-17-windows-service-installed-via-an-unusual-client.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rules-8-11-17-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rules-8-11-17-summary.asciidoc new file mode 100644 index 0000000000..ff8dde7c07 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-17/prebuilt-rules-8-11-17-summary.asciidoc @@ -0,0 +1,266 @@ +[[prebuilt-rule-8-11-17-prebuilt-rules-8-11-17-summary]] +[role="xpack"] +== Update v8.11.17 + +This section lists all updates associated with version 8.11.17 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity. | new | 1 + +|<> | Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access. | new | 1 + +|<> | Identifies the first occurrence of an AWS resource establishing a session via SSM to an EC2 instance. Adversaries may use AWS Systems Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used to gain access to the instance and perform actions such as privilege escalation. This rule helps detect the first occurrence of this activity for a given AWS resource. | new | 1 + +|<> | Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. | new | 1 + +|<> | The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). | update | 206 + +|<> | Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. | update | 3 + +|<> | An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager. | update | 311 + +|<> | Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks. | update | 2 + +|<> | Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well. | update | 2 + +|<> | A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. | update | 5 + +|<> | A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. | update | 5 + +|<> | This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. | update | 3 + +|<> | A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | update | 4 + +|<> | A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | update | 4 + +|<> | A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | update | 4 + +|<> | A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | update | 4 + +|<> | A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. | update | 4 + +|<> | A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. | update | 4 + +|<> | A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration. | update | 4 + +|<> | A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. | update | 4 + +|<> | A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. | update | 4 + +|<> | A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity. | update | 4 + +|<> | A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity. | update | 4 + +|<> | This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks. | update | 3 + +|<> | A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command. | update | 4 + +|<> | A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. | update | 4 + +|<> | A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer. | update | 4 + +|<> | A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. | update | 4 + +|<> | An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring. | update | 4 + +|<> | An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host. | update | 4 + +|<> | A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points. | update | 4 + +|<> | A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked. | update | 4 + +|<> | A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity. | update | 4 + +|<> | A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection. | update | 4 + +|<> | A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack. | update | 4 + +|<> | Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. | update | 106 + +|<> | A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | update | 5 + +|<> | A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | update | 5 + +|<> | A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | update | 5 + +|<> | A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. | update | 5 + +|<> | A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. | update | 5 + +|<> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | update | 5 + +|<> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | update | 5 + +|<> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | update | 5 + +|<> | This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. | update | 5 + +|<> | This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. | update | 9 + +|<> | This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. | update | 8 + +|<> | Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM). | update | 5 + +|<> | Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes. | update | 3 + +|<> | This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network. | update | 6 + +|<> | This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a network event that is followed by the creation of a shell process with suspicious command line arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. | update | 3 + +|<> | This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. | update | 9 + +|<> | Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. | update | 112 + +|<> | Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. | update | 10 + +|<> | Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. | update | 109 + +|<> | Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. | update | 114 + +|<> | Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. | update | 10 + +|<> | Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. | update | 111 + +|<> | This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. | update | 4 + +|<> | Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. | update | 7 + +|<> | Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories. | update | 10 + +|<> | Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility. | update | 9 + +|<> | This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system. | update | 111 + +|<> | This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. | update | 8 + +|<> | This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system. | update | 5 + +|<> | Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost. | update | 10 + +|<> | Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. | update | 10 + +|<> | Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts. | update | 3 + +|<> | Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. | update | 208 + +|<> | Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. | update | 208 + +|<> | Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. | update | 109 + +|<> | Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. | update | 207 + +|<> | Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. | update | 108 + +|<> | This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. | update | 6 + +|<> | Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. | update | 213 + +|<> | Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. | update | 112 + +|<> | Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. | update | 212 + +|<> | Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. | update | 212 + +|<> | Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software. | update | 103 + +|<> | Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. | update | 210 + +|<> | Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. | update | 107 + +|<> | Identifies the password log file from the default Mimikatz memssp module. | update | 211 + +|<