From c1761cb5053fb213af8d59c21e077f55f9f90cd8 Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Tue, 28 Nov 2023 20:41:33 +0000 Subject: [PATCH] Update latest docs --- ...ess-of-stored-browser-credentials.asciidoc | 86 +++++++ ...-keychain-credentials-directories.asciidoc | 92 ++++++++ ...ured-with-never-expiring-password.asciidoc | 105 +++++++++ ...on-followed-by-network-connection.asciidoc | 82 +++++++ ...ion-with-administrator-privileges.asciidoc | 71 ++++++ ...-10-attempt-to-disable-gatekeeper.asciidoc | 63 ++++++ ...ttempt-to-enable-the-root-account.asciidoc | 66 ++++++ ...tempt-to-install-root-certificate.asciidoc | 68 ++++++ ...-mount-smb-share-via-command-line.asciidoc | 73 ++++++ ...-remove-file-quarantine-attribute.asciidoc | 72 ++++++ ...ndpoint-security-kernel-extension.asciidoc | 76 +++++++ ...authorization-plugin-modification.asciidoc | 69 ++++++ ...on-of-a-hidden-local-user-account.asciidoc | 109 +++++++++ ...-of-hidden-launch-agent-or-daemon.asciidoc | 86 +++++++ ...idden-login-item-via-apple-script.asciidoc | 81 +++++++ ...ount-hashes-via-built-in-commands.asciidoc | 63 ++++++ ...hain-content-via-security-command.asciidoc | 65 ++++++ ...nd-rules-creation-or-modification.asciidoc | 67 ++++++ ...s-or-groups-via-built-in-commands.asciidoc | 89 ++++++++ ...tron-child-process-node-js-module.asciidoc | 72 ++++++ ...xplicit-credentials-via-scripting.asciidoc | 81 +++++++ ...ync-plugin-registered-and-enabled.asciidoc | 75 ++++++ ...seen-newcredentials-logon-process.asciidoc | 66 ++++++ ...ocess-arguments-in-an-rdp-session.asciidoc | 58 +++++ ...high-mean-of-rdp-session-duration.asciidoc | 58 +++++ ...-variance-in-rdp-session-duration.asciidoc | 58 +++++ ...rberos-cached-credentials-dumping.asciidoc | 72 ++++++ ...ssword-retrieval-via-command-line.asciidoc | 79 +++++++ ...odification-and-immediate-loading.asciidoc | 69 ++++++ ...odification-and-immediate-loading.asciidoc | 63 ++++++ ...uest-predicted-to-be-a-dga-domain.asciidoc | 77 +++++++ ...with-a-high-dga-probability-score.asciidoc | 77 +++++++ ...redicted-to-be-malicious-activity.asciidoc | 78 +++++++ ...-high-malicious-probability-score.asciidoc | 79 +++++++ ...using-a-known-sunburst-dns-domain.asciidoc | 77 +++++++ ...ller-package-spawns-network-event.asciidoc | 82 +++++++ ...10-malicious-remote-file-creation.asciidoc | 63 ++++++ ...nvironment-variable-via-launchctl.asciidoc | 78 +++++++ ...ari-settings-via-defaults-command.asciidoc | 75 ++++++ ...-okta-fastpass-phishing-detection.asciidoc | 72 ++++++ ...ectoryservice-plugin-modification.asciidoc | 62 +++++ ...-via-docker-shortcut-modification.asciidoc | 63 ++++++ ...sistence-via-folder-action-script.asciidoc | 74 ++++++ ...sistence-via-login-or-logout-hook.asciidoc | 70 ++++++ ...tial-admin-group-account-addition.asciidoc | 66 ++++++ ...ty-to-an-unusual-destination-port.asciidoc | 58 +++++ ...activity-to-an-unusual-ip-address.asciidoc | 58 +++++ ...n-activity-to-an-unusual-iso-code.asciidoc | 58 +++++ ...ion-activity-to-an-unusual-region.asciidoc | 58 +++++ ...ule-8-9-10-potential-dga-activity.asciidoc | 58 +++++ ...idden-local-user-account-creation.asciidoc | 66 ++++++ ...ntial-kerberos-attack-via-bifrost.asciidoc | 79 +++++++ ...al-macos-ssh-brute-force-detected.asciidoc | 61 +++++ ...-microsoft-office-sandbox-evasion.asciidoc | 63 ++++++ ...via-atom-init-script-modification.asciidoc | 63 ++++++ ...ential-persistence-via-login-hook.asciidoc | 82 +++++++ ...al-persistence-via-periodic-tasks.asciidoc | 68 ++++++ ...-bypass-via-localhost-secure-copy.asciidoc | 74 ++++++ ...rol-bypass-via-tccdb-modification.asciidoc | 69 ++++++ ...ia-root-crontab-file-modification.asciidoc | 67 ++++++ ...pt-for-credentials-with-osascript.asciidoc | 67 ++++++ ...-remote-execution-via-file-shares.asciidoc | 125 ++++++++++ ...0-remote-file-copy-via-teamviewer.asciidoc | 138 +++++++++++ ...creation-on-a-sensitive-directory.asciidoc | 71 ++++++ ...n-enabled-via-systemsetup-command.asciidoc | 70 ++++++ ...le-modified-by-unexpected-process.asciidoc | 105 +++++++++ ...ell-execution-via-apple-scripting.asciidoc | 64 ++++++ ...reupdate-preferences-modification.asciidoc | 67 ++++++ ...to-an-external-device-via-airdrop.asciidoc | 58 +++++ ...-bytes-sent-to-an-external-device.asciidoc | 58 +++++ ...connections-made-from-a-source-ip.asciidoc | 58 +++++ ...nections-made-to-a-destination-ip.asciidoc | 58 +++++ ...er-of-processes-in-an-rdp-session.asciidoc | 58 +++++ ...10-spike-in-remote-file-transfers.asciidoc | 58 +++++ ...r-application-script-modification.asciidoc | 74 ++++++ ...ous-automator-workflows-execution.asciidoc | 63 ++++++ ...-suspicious-browser-child-process.asciidoc | 89 ++++++++ ...icious-calendar-file-modification.asciidoc | 75 ++++++ ...obe-acrobat-reader-update-service.asciidoc | 73 ++++++ ...-crontab-creation-or-modification.asciidoc | 67 ++++++ ...10-suspicious-emond-child-process.asciidoc | 89 ++++++++ ...s-hidden-child-process-of-launchd.asciidoc | 81 +++++++ ...ous-macos-ms-office-child-process.asciidoc | 99 ++++++++ ...ious-managed-code-hosting-process.asciidoc | 74 ++++++ ...suspicious-werfault-child-process.asciidoc | 101 +++++++++ ...process-cluster-spawned-by-a-host.asciidoc | 59 +++++ ...uster-spawned-by-a-parent-process.asciidoc | 61 +++++ ...process-cluster-spawned-by-a-user.asciidoc | 61 +++++ ...systemkey-access-via-command-line.asciidoc | 66 ++++++ ...-via-mounted-apfs-snapshot-access.asciidoc | 63 ++++++ ...ocess-of-macos-screensaver-engine.asciidoc | 81 +++++++ ...unusual-process-spawned-by-a-host.asciidoc | 61 +++++ ...ocess-spawned-by-a-parent-process.asciidoc | 61 +++++ ...unusual-process-spawned-by-a-user.asciidoc | 61 +++++ ...riting-data-to-an-external-device.asciidoc | 58 +++++ ...-10-unusual-remote-file-directory.asciidoc | 58 +++++ ...-10-unusual-remote-file-extension.asciidoc | 58 +++++ ...e-8-9-10-unusual-remote-file-size.asciidoc | 58 +++++ ...al-time-or-day-for-an-rdp-session.asciidoc | 58 +++++ ...rivate-network-connection-attempt.asciidoc | 68 ++++++ ...10-webproxy-settings-modification.asciidoc | 66 ++++++ .../prebuilt-rules-8-9-10-appendix.asciidoc | 107 +++++++++ .../prebuilt-rules-8-9-10-summary.asciidoc | 214 ++++++++++++++++++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 126 ++++++----- .../prebuilt-rules/rule-desc-index.asciidoc | 2 + ...ess-of-stored-browser-credentials.asciidoc | 3 +- ...-keychain-credentials-directories.asciidoc | 3 +- ...ured-with-never-expiring-password.asciidoc | 2 +- ...-hidden-file-attribute-via-attrib.asciidoc | 2 +- .../adobe-hijack-persistence.asciidoc | 2 +- ...-process-for-a-windows-population.asciidoc | 2 +- ...nomalous-windows-process-creation.asciidoc | 2 +- ...on-followed-by-network-connection.asciidoc | 3 +- ...ion-with-administrator-privileges.asciidoc | 3 +- .../attempt-to-disable-gatekeeper.asciidoc | 3 +- ...ttempt-to-enable-the-root-account.asciidoc | 3 +- ...tempt-to-install-root-certificate.asciidoc | 3 +- ...-mount-smb-share-via-command-line.asciidoc | 3 +- ...-remove-file-quarantine-attribute.asciidoc | 3 +- ...ndpoint-security-kernel-extension.asciidoc | 3 +- ...authorization-plugin-modification.asciidoc | 3 +- .../bypass-uac-via-event-viewer.asciidoc | 2 +- ...dification-through-built-in-tools.asciidoc | 2 +- ...icy-modification-through-registry.asciidoc | 2 +- ...command-prompt-network-connection.asciidoc | 2 +- ...n-to-commonly-abused-web-services.asciidoc | 2 +- ...on-of-a-hidden-local-user-account.asciidoc | 2 +- ...-of-hidden-launch-agent-or-daemon.asciidoc | 3 +- ...idden-login-item-via-apple-script.asciidoc | 3 +- .../direct-outbound-smb-connection.asciidoc | 2 +- ...ount-hashes-via-built-in-commands.asciidoc | 3 +- ...hain-content-via-security-command.asciidoc | 3 +- ...nd-rules-creation-or-modification.asciidoc | 3 +- ...rivileged-local-groups-membership.asciidoc | 2 +- ...s-or-groups-via-built-in-commands.asciidoc | 3 +- ...om-unusual-directory-command-line.asciidoc | 2 +- ...tron-child-process-node-js-module.asciidoc | 3 +- ...xplicit-credentials-via-scripting.asciidoc | 3 +- ...ync-plugin-registered-and-enabled.asciidoc | 3 +- ...value-accessed-in-secrets-manager.asciidoc | 2 +- .../first-time-seen-driver-loaded.asciidoc | 2 +- ...seen-newcredentials-logon-process.asciidoc | 66 ++++++ ...rberos-cached-credentials-dumping.asciidoc | 3 +- ...eros-traffic-from-unusual-process.asciidoc | 2 +- ...ssword-retrieval-via-command-line.asciidoc | 3 +- ...odification-and-immediate-loading.asciidoc | 3 +- ...odification-and-immediate-loading.asciidoc | 3 +- .../linux-group-creation.asciidoc | 4 +- .../linux-user-account-creation.asciidoc | 4 +- ...ux-user-added-to-privileged-group.asciidoc | 4 +- .../lsass-memory-dump-creation.asciidoc | 2 +- .../lsass-memory-dump-handle-access.asciidoc | 2 +- ...ller-package-spawns-network-event.asciidoc | 2 +- ...ld-engine-using-an-alternate-name.asciidoc | 2 +- ...nvironment-variable-via-launchctl.asciidoc | 3 +- ...ari-settings-via-defaults-command.asciidoc | 3 +- ...sbuild-making-network-connections.asciidoc | 2 +- ...failure-followed-by-logon-success.asciidoc | 2 +- ...lure-from-the-same-source-address.asciidoc | 2 +- .../network-connection-via-certutil.asciidoc | 2 +- ...connection-via-compiled-html-file.asciidoc | 2 +- ...nnection-via-registration-utility.asciidoc | 2 +- ...work-connection-via-signed-binary.asciidoc | 2 +- .../new-systemd-timer-created.asciidoc | 4 +- .../okta-fastpass-phishing-detection.asciidoc | 72 ++++++ ...ectoryservice-plugin-modification.asciidoc | 3 +- ...-via-docker-shortcut-modification.asciidoc | 3 +- ...sistence-via-folder-action-script.asciidoc | 3 +- ...sistence-via-login-or-logout-hook.asciidoc | 3 +- ...pdate-orchestrator-service-hijack.asciidoc | 2 +- ...-scripts-in-the-startup-directory.asciidoc | 2 +- ...tial-admin-group-account-addition.asciidoc | 3 +- ...n-interface-bypass-via-powershell.asciidoc | 2 +- ...ess-via-trusted-developer-utility.asciidoc | 2 +- ...ential-evasion-via-filter-manager.asciidoc | 2 +- ...idden-local-user-account-creation.asciidoc | 3 +- ...ntial-kerberos-attack-via-bifrost.asciidoc | 3 +- ...ux-backdoor-user-account-creation.asciidoc | 4 +- ...al-macos-ssh-brute-force-detected.asciidoc | 3 +- ...-microsoft-office-sandbox-evasion.asciidoc | 3 +- ...ication-of-accessibility-binaries.asciidoc | 2 +- ...rsistence-through-init-d-detected.asciidoc | 4 +- ...rough-motd-file-creation-detected.asciidoc | 4 +- ...ence-through-run-control-detected.asciidoc | 4 +- ...via-atom-init-script-modification.asciidoc | 3 +- ...ential-persistence-via-login-hook.asciidoc | 3 +- ...al-persistence-via-periodic-tasks.asciidoc | 3 +- ...-bypass-via-localhost-secure-copy.asciidoc | 3 +- ...rol-bypass-via-tccdb-modification.asciidoc | 3 +- ...alation-via-installerfiletakeover.asciidoc | 2 +- ...ote-code-execution-via-web-server.asciidoc | 4 +- ...indows-error-manager-masquerading.asciidoc | 2 +- .../powershell-psreflect-script.asciidoc | 2 +- ...us-payload-encoded-and-compressed.asciidoc | 2 +- ...tion-via-named-pipe-impersonation.asciidoc | 2 +- ...ia-root-crontab-file-modification.asciidoc | 3 +- .../privileged-account-brute-force.asciidoc | 2 +- ...s-activity-via-compiled-html-file.asciidoc | 2 +- ...-termination-followed-by-deletion.asciidoc | 2 +- ...pt-for-credentials-with-osascript.asciidoc | 3 +- ...istry-persistence-via-appinit-dll.asciidoc | 2 +- .../remote-execution-via-file-shares.asciidoc | 4 +- .../remote-file-copy-via-teamviewer.asciidoc | 4 +- ...oad-via-desktopimgdownldr-utility.asciidoc | 2 +- ...remote-file-download-via-mpcmdrun.asciidoc | 2 +- ...mote-file-download-via-powershell.asciidoc | 2 +- ...e-download-via-script-interpreter.asciidoc | 2 +- ...n-enabled-via-systemsetup-command.asciidoc | 3 +- ...remotely-started-services-via-rpc.asciidoc | 2 +- ...enamed-autoit-scripts-interpreter.asciidoc | 2 +- ...-executed-with-short-program-name.asciidoc | 2 +- ...le-modified-by-unexpected-process.asciidoc | 3 +- ...ol-spawned-via-script-interpreter.asciidoc | 2 +- ...ell-execution-via-apple-scripting.asciidoc | 3 +- ...reupdate-preferences-modification.asciidoc | 3 +- ...-persistence-via-unsigned-process.asciidoc | 2 +- ...-or-run-key-registry-modification.asciidoc | 2 +- ...rsistence-by-a-suspicious-process.asciidoc | 2 +- ...r-application-script-modification.asciidoc | 3 +- ...urst-command-and-control-activity.asciidoc | 2 +- ...us-antimalware-scan-interface-dll.asciidoc | 2 +- ...ous-automator-workflows-execution.asciidoc | 3 +- .../suspicious-browser-child-process.asciidoc | 2 +- ...icious-calendar-file-modification.asciidoc | 3 +- .../suspicious-certutil-commands.asciidoc | 2 +- ...obe-acrobat-reader-update-service.asciidoc | 3 +- ...-crontab-creation-or-modification.asciidoc | 2 +- .../suspicious-emond-child-process.asciidoc | 2 +- ...s-hidden-child-process-of-launchd.asciidoc | 3 +- ...ous-macos-ms-office-child-process.asciidoc | 2 +- ...ious-managed-code-hosting-process.asciidoc | 2 +- ...ous-net-reflection-via-powershell.asciidoc | 2 +- ...able-encoded-in-powershell-script.asciidoc | 2 +- ...us-print-spooler-spl-file-created.asciidoc | 2 +- ...ess-access-via-direct-system-call.asciidoc | 2 +- ...rocess-spawned-from-motd-detected.asciidoc | 4 +- ...rvice-was-installed-in-the-system.asciidoc | 2 +- ...startup-shell-folder-modification.asciidoc | 2 +- ...suspicious-werfault-child-process.asciidoc | 2 +- .../suspicious-zoom-child-process.asciidoc | 2 +- .../svchost-spawning-cmd.asciidoc | 2 +- .../system-shells-via-services.asciidoc | 2 +- ...systemkey-access-via-command-line.asciidoc | 3 +- ...-via-mounted-apfs-snapshot-access.asciidoc | 3 +- ...threat-intel-hash-indicator-match.asciidoc | 2 +- ...-intel-ip-address-indicator-match.asciidoc | 2 +- .../threat-intel-url-indicator-match.asciidoc | 2 +- ...-windows-registry-indicator-match.asciidoc | 2 +- ...ia-windows-directory-masquerading.asciidoc | 2 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 2 +- ...ocess-of-macos-screensaver-engine.asciidoc | 3 +- .../untrusted-driver-loaded.asciidoc | 2 +- ...tion-by-a-system-critical-process.asciidoc | 2 +- ...le-creation-alternate-data-stream.asciidoc | 2 +- ...vity-from-a-windows-system-binary.asciidoc | 2 +- ...unusual-parent-child-relationship.asciidoc | 2 +- ...nusual-process-for-a-windows-host.asciidoc | 2 +- ...rivate-network-connection-attempt.asciidoc | 3 +- .../webproxy-settings-modification.asciidoc | 3 +- ...ntial-dumping-using-netsh-command.asciidoc | 2 +- docs/index.asciidoc | 2 + 262 files changed, 7945 insertions(+), 282 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-access-of-stored-browser-credentials.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-access-to-keychain-credentials-directories.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-account-configured-with-never-expiring-password.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-apple-script-execution-followed-by-network-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-apple-scripting-execution-with-administrator-privileges.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-disable-gatekeeper.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-enable-the-root-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-install-root-certificate.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-mount-smb-share-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-remove-file-quarantine-attribute.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-authorization-plugin-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-a-hidden-local-user-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-hidden-launch-agent-or-daemon.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-hidden-login-item-via-apple-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-dumping-account-hashes-via-built-in-commands.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-dumping-of-keychain-content-via-security-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-emond-rules-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-enumeration-of-users-or-groups-via-built-in-commands.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-execution-via-electron-child-process-node-js-module.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-execution-with-explicit-credentials-via-scripting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-finder-sync-plugin-registered-and-enabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-first-time-seen-newcredentials-logon-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-mean-of-process-arguments-in-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-mean-of-rdp-session-duration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-variance-in-rdp-session-duration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-kerberos-cached-credentials-dumping.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-keychain-password-retrieval-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-launch-agent-creation-or-modification-and-immediate-loading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-macos-installer-package-spawns-network-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-malicious-remote-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-modification-of-environment-variable-via-launchctl.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-modification-of-safari-settings-via-defaults-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-okta-fastpass-phishing-detection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-directoryservice-plugin-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-docker-shortcut-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-folder-action-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-login-or-logout-hook.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-admin-group-account-addition.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-dga-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-hidden-local-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-kerberos-attack-via-bifrost.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-macos-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-microsoft-office-sandbox-evasion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-atom-init-script-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-login-hook.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-periodic-tasks.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-tccdb-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-privilege-escalation-via-root-crontab-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-prompt-for-credentials-with-osascript.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-execution-via-file-shares.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-file-copy-via-teamviewer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-file-creation-on-a-sensitive-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-ssh-login-enabled-via-systemsetup-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-screensaver-plist-file-modified-by-unexpected-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-shell-execution-via-apple-scripting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-softwareupdate-preferences-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-connections-made-from-a-source-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-processes-in-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-remote-file-transfers.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-sublime-plugin-or-application-script-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-automator-workflows-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-browser-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-calendar-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-crontab-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-emond-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-hidden-child-process-of-launchd.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-macos-ms-office-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-managed-code-hosting-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-werfault-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-systemkey-access-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unexpected-child-process-of-macos-screensaver-engine.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-writing-data-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-size.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-time-or-day-for-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-virtual-private-network-connection-attempt.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-webproxy-settings-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rules-8-9-10-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rules-8-9-10-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-newcredentials-logon-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-fastpass-phishing-detection.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-access-of-stored-browser-credentials.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-access-of-stored-browser-credentials.asciidoc new file mode 100644 index 0000000000..d495b6a582 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-access-of-stored-browser-credentials.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-9-10-access-of-stored-browser-credentials]] +=== Access of Stored Browser Credentials + +Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", + "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", + "/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies", + "/Users/*/Library/Cookies*", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", + "Login Data", + "Cookies.binarycookies", + "key4.db", + "key3.db", + "logins.json", + "cookies.sqlite" + ) and + not (process.name : "wordexp-helper" and process.parent.name : ("elastic-agent", "elastic-endpoint")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-access-to-keychain-credentials-directories.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-access-to-keychain-credentials-directories.asciidoc new file mode 100644 index 0000000000..f626cddbad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-access-to-keychain-credentials-directories.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-8-9-10-access-to-keychain-credentials-directories]] +=== Access to Keychain Credentials Directories + +Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x25.html +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Keychains/*", + "/Library/Keychains/*", + "/Network/Library/Keychains/*", + "System.keychain", + "login.keychain-db", + "login.keychain" + ) and + not process.args : ("find-certificate", + "add-trusted-cert", + "set-keychain-settings", + "delete-certificate", + "/Users/*/Library/Keychains/openvpn.keychain-db", + "show-keychain-info", + "lock-keychain", + "set-key-partition-list", + "import", + "find-identity") and + not process.parent.executable : + ( + "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect", + "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise", + "/opt/jc/bin/jumpcloud-agent" + ) and + not process.executable : "/opt/jc/bin/jumpcloud-agent" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-account-configured-with-never-expiring-password.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-account-configured-with-never-expiring-password.asciidoc new file mode 100644 index 0000000000..95aa3c2871 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-account-configured-with-never-expiring-password.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-9-10-account-configured-with-never-expiring-password]] +=== Account Configured with Never-Expiring Password + +Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire +* http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Account Configured with Never-Expiring Password + +Active Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged. + +The setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/source host during the past 48 hours. +- Inspect the account for suspicious or abnormal behaviors in the alert timeframe. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. +- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Reset the password of the account and update its password settings. +- Search for other occurrences on the domain. + - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser): + - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft` +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"modified-user-account" and winlog.api:"wineventlog" and event.code:"4738" and + message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-apple-script-execution-followed-by-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-apple-script-execution-followed-by-network-connection.asciidoc new file mode 100644 index 0000000000..c86a31b005 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-apple-script-execution-followed-by-network-connection.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-9-10-apple-script-execution-followed-by-network-connection]] +=== Apple Script Execution followed by Network Connection + +Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=30s + [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"] + [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and + not cidrmatch(destination.ip, + "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", + "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: AppleScript +** ID: T1059.002 +** Reference URL: https://attack.mitre.org/techniques/T1059/002/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-apple-scripting-execution-with-administrator-privileges.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-apple-scripting-execution-with-administrator-privileges.asciidoc new file mode 100644 index 0000000000..08deb0bdb4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-apple-scripting-execution-with-administrator-privileges.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-9-10-apple-scripting-execution-with-administrator-privileges]] +=== Apple Scripting Execution with Administrator Privileges + +Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://discussions.apple.com/thread/2266150 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*with administrator privileges" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-disable-gatekeeper.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-disable-gatekeeper.asciidoc new file mode 100644 index 0000000000..924b643278 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-disable-gatekeeper.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-attempt-to-disable-gatekeeper]] +=== Attempt to Disable Gatekeeper + +Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.apple.com/en-us/HT202491 +* https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.args:(spctl and "--master-disable") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-enable-the-root-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-enable-the-root-account.asciidoc new file mode 100644 index 0000000000..abcfff4233 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-enable-the-root-account.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-9-10-attempt-to-enable-the-root-account]] +=== Attempt to Enable the Root Account + +Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/dsenableroot.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:dsenableroot and not process.args:"-d" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-install-root-certificate.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-install-root-certificate.asciidoc new file mode 100644 index 0000000000..aa1c5cec3e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-install-root-certificate.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-9-10-attempt-to-install-root-certificate]] +=== Attempt to Install Root Certificate + +Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/security-cert.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:security and process.args:"add-trusted-cert" and + not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Install Root Certificate +** ID: T1553.004 +** Reference URL: https://attack.mitre.org/techniques/T1553/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-mount-smb-share-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-mount-smb-share-via-command-line.asciidoc new file mode 100644 index 0000000000..e98ee2a677 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-mount-smb-share-via-command-line.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-9-10-attempt-to-mount-smb-share-via-command-line]] +=== Attempt to Mount SMB Share via Command Line + +Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.freebsd.org/cgi/man.cgi?mount_smbfs +* https://ss64.com/osx/mount.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + process.name : "mount_smbfs" or + (process.name : "open" and process.args : "smb://*") or + (process.name : "mount" and process.args : "smbfs") or + (process.name : "osascript" and process.command_line : "osascript*mount volume*smb://*") + ) and + not process.parent.executable : "/Applications/Google Drive.app/Contents/MacOS/Google Drive" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-remove-file-quarantine-attribute.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-remove-file-quarantine-attribute.asciidoc new file mode 100644 index 0000000000..843d5fd817 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-remove-file-quarantine-attribute.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-9-10-attempt-to-remove-file-quarantine-attribute]] +=== Attempt to Remove File Quarantine Attribute + +Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html +* https://ss64.com/osx/xattr.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.name : "xattr" and + ( + (process.args : "com.apple.quarantine" and process.args : ("-d", "-w")) or + (process.args : "-c") or + (process.command_line : ("/bin/bash -c xattr -c *", "/bin/zsh -c xattr -c *", "/bin/sh -c xattr -c *")) + ) and not process.args_count > 12 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc new file mode 100644 index 0000000000..febc27f3c7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-9-10-attempt-to-unload-elastic-endpoint-security-kernel-extension]] +=== Attempt to Unload Elastic Endpoint Security Kernel Extension + +Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:kextunload and process.args:("/System/Library/Extensions/EndpointSecurity.kext" or "EndpointSecurity.kext") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-authorization-plugin-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-authorization-plugin-modification.asciidoc new file mode 100644 index 0000000000..7517ac4831 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-authorization-plugin-modification.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-9-10-authorization-plugin-modification]] +=== Authorization Plugin Modification + +Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/documentation/security/authorization_plug-ins +* https://www.xorrior.com/persistent-credential-theft/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:deletion and + file.path:(/Library/Security/SecurityAgentPlugins/* and + not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and + not process.name:shove and process.code_signature.trusted:true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Authentication Package +** ID: T1547.002 +** Reference URL: https://attack.mitre.org/techniques/T1547/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-a-hidden-local-user-account.asciidoc new file mode 100644 index 0000000000..0fc795cb0f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-a-hidden-local-user-account.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-9-10-creation-of-a-hidden-local-user-account]] +=== Creation of a Hidden Local User Account + +Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Creation of a Hidden Local User Account + +Attackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters. + +This rule uses registry events to identify the creation of local hidden accounts. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Delete the hidden account. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\", + "\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-hidden-launch-agent-or-daemon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-hidden-launch-agent-or-daemon.asciidoc new file mode 100644 index 0000000000..1d0bfd3823 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-hidden-launch-agent-or-daemon.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-9-10-creation-of-hidden-launch-agent-or-daemon]] +=== Creation of Hidden Launch Agent or Daemon + +Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.path : + ( + "/System/Library/LaunchAgents/.*.plist", + "/Library/LaunchAgents/.*.plist", + "/Users/*/Library/LaunchAgents/.*.plist", + "/System/Library/LaunchDaemons/.*.plist", + "/Library/LaunchDaemons/.*.plist" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-hidden-login-item-via-apple-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-hidden-login-item-via-apple-script.asciidoc new file mode 100644 index 0000000000..8d57da9162 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-creation-of-hidden-login-item-via-apple-script.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-9-10-creation-of-hidden-login-item-via-apple-script]] +=== Creation of Hidden Login Item via Apple Script + +Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*login item*hidden:true*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: AppleScript +** ID: T1059.002 +** Reference URL: https://attack.mitre.org/techniques/T1059/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Plist File Modification +** ID: T1647 +** Reference URL: https://attack.mitre.org/techniques/T1647/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-dumping-account-hashes-via-built-in-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-dumping-account-hashes-via-built-in-commands.asciidoc new file mode 100644 index 0000000000..b8971cef2a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-dumping-account-hashes-via-built-in-commands.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-dumping-account-hashes-via-built-in-commands]] +=== Dumping Account Hashes via Built-In Commands + +Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored +* https://www.unix.com/man-page/osx/8/mkpassdb/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or "-dump") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-dumping-of-keychain-content-via-security-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-dumping-of-keychain-content-via-security-command.asciidoc new file mode 100644 index 0000000000..e35adc351a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-dumping-of-keychain-content-via-security-command.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-9-10-dumping-of-keychain-content-via-security-command]] +=== Dumping of Keychain Content via Security Command + +Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/security.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-emond-rules-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-emond-rules-creation-or-modification.asciidoc new file mode 100644 index 0000000000..b0a120bd2c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-emond-rules-creation-or-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-9-10-emond-rules-creation-or-modification]] +=== Emond Rules Creation or Modification + +Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.xorrior.com/emond-persistence/ +* https://www.sentinelone.com/blog/how-malware-persists-on-macos/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.path : ("/private/etc/emond.d/rules/*.plist", "/etc/emon.d/rules/*.plist", "/private/var/db/emondClients/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Emond +** ID: T1546.014 +** Reference URL: https://attack.mitre.org/techniques/T1546/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-enumeration-of-users-or-groups-via-built-in-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-enumeration-of-users-or-groups-via-built-in-commands.asciidoc new file mode 100644 index 0000000000..afd3a6b4e5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-enumeration-of-users-or-groups-via-built-in-commands.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-9-10-enumeration-of-users-or-groups-via-built-in-commands]] +=== Enumeration of Users or Groups via Built-in Commands + +Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + process.name : ("ldapsearch", "dsmemberutil") or + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + ) and + not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", + "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence", + "/Applications/Sourcetree.app/Contents/MacOS/Sourcetree", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect", + "/usr/local/jamf/bin/jamf", + "/Library/Application Support/AirWatch/hubd", + "/opt/jc/bin/jumpcloud-agent", + "/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon", + "/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon", + "/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-execution-via-electron-child-process-node-js-module.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-execution-via-electron-child-process-node-js-module.asciidoc new file mode 100644 index 0000000000..391f09bad6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-execution-via-electron-child-process-node-js-module.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-9-10-execution-via-electron-child-process-node-js-module]] +=== Execution via Electron Child Process Node.js Module + +Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html +* https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/ +* https://nodejs.org/api/child_process.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-execution-with-explicit-credentials-via-scripting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-execution-with-explicit-credentials-via-scripting.asciidoc new file mode 100644 index 0000000000..b7329ef29a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-execution-with-explicit-credentials-via-scripting.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-9-10-execution-with-explicit-credentials-via-scripting]] +=== Execution with Explicit Credentials via Scripting + +Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf +* https://www.manpagez.com/man/8/security_authtrampoline/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:"security_authtrampoline" and + process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Elevated Execution with Prompt +** ID: T1548.004 +** Reference URL: https://attack.mitre.org/techniques/T1548/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-finder-sync-plugin-registered-and-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-finder-sync-plugin-registered-and-enabled.asciidoc new file mode 100644 index 0000000000..ecb46e3d4a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-finder-sync-plugin-registered-and-enabled.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-9-10-finder-sync-plugin-registered-and-enabled]] +=== Finder Sync Plugin Registered and Enabled + +Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and + process.args : "-e" and process.args : "use" and process.args : "-i" and + not process.args : + ( + "com.google.GoogleDrive.FinderSyncAPIExtension", + "com.google.drivefs.findersync", + "com.boxcryptor.osx.Rednif", + "com.adobe.accmac.ACCFinderSync", + "com.microsoft.OneDrive.FinderSync", + "com.insynchq.Insync.Insync-Finder-Integration", + "com.box.desktop.findersyncext" + ) and + not process.parent.executable : ( + "/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-first-time-seen-newcredentials-logon-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-first-time-seen-newcredentials-logon-process.asciidoc new file mode 100644 index 0000000000..d72b78d2b0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-first-time-seen-newcredentials-logon-process.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-9-10-first-time-seen-newcredentials-logon-process]] +=== First Time Seen NewCredentials Logon Process + +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Token Impersonation/Theft +** ID: T1134.001 +** Reference URL: https://attack.mitre.org/techniques/T1134/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-mean-of-process-arguments-in-an-rdp-session.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-mean-of-process-arguments-in-an-rdp-session.asciidoc new file mode 100644 index 0000000000..4a3ad0360f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-mean-of-process-arguments-in-an-rdp-session.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-high-mean-of-process-arguments-in-an-rdp-session]] +=== High Mean of Process Arguments in an RDP Session + +A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-mean-of-rdp-session-duration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-mean-of-rdp-session-duration.asciidoc new file mode 100644 index 0000000000..e98b25b5ef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-mean-of-rdp-session-duration.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-high-mean-of-rdp-session-duration]] +=== High Mean of RDP Session Duration + +A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-variance-in-rdp-session-duration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-variance-in-rdp-session-duration.asciidoc new file mode 100644 index 0000000000..072ee283ba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-high-variance-in-rdp-session-duration.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-high-variance-in-rdp-session-duration]] +=== High Variance in RDP Session Duration + +A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-kerberos-cached-credentials-dumping.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-kerberos-cached-credentials-dumping.asciidoc new file mode 100644 index 0000000000..9002db1d92 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-kerberos-cached-credentials-dumping.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-9-10-kerberos-cached-credentials-dumping]] +=== Kerberos Cached Credentials Dumping + +Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py +* https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:kcc and + process.args:copy_cred_cache + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-keychain-password-retrieval-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-keychain-password-retrieval-via-command-line.asciidoc new file mode 100644 index 0000000000..a33ea60583 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-keychain-password-retrieval-via-command-line.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-9-10-keychain-password-retrieval-via-command-line]] +=== Keychain Password Retrieval via Command Line + +Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.netmeister.org/blog/keychain-passwords.html +* https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py +* https://ss64.com/osx/security.html +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and + process.name : "security" and process.args : "-wa" and process.args : ("find-generic-password", "find-internet-password") and + process.args : ("Chrome*", "Chromium", "Opera", "Safari*", "Brave", "Microsoft Edge", "Edge", "Firefox*") and + not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-launch-agent-creation-or-modification-and-immediate-loading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-launch-agent-creation-or-modification-and-immediate-loading.asciidoc new file mode 100644 index 0000000000..5fc44c0a38 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-launch-agent-creation-or-modification-and-immediate-loading.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-9-10-launch-agent-creation-or-modification-and-immediate-loading]] +=== Launch Agent Creation or Modification and Immediate Loading + +An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [file where host.os.type == "macos" and event.type != "deletion" and + file.path : ("/System/Library/LaunchAgents/*", "/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*") + ] + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc new file mode 100644 index 0000000000..fda91876ce --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-launchdaemon-creation-or-modification-and-immediate-loading]] +=== LaunchDaemon Creation or Modification and Immediate Loading + +Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [file where host.os.type == "macos" and event.type != "deletion" and file.path : ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")] + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc new file mode 100644 index 0000000000..f074e49f9f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain]] +=== Machine Learning Detected a DNS Request Predicted to be a DGA Domain + +A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc new file mode 100644 index 0000000000..d6ae1e93b4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score]] +=== Machine Learning Detected a DNS Request With a High DGA Probability Score + +A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_probability > 0.98 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc new file mode 100644 index 0000000000..a2912772d8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity]] +=== Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity + +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc new file mode 100644 index 0000000000..79b02122c1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score]] +=== Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score + +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. + +*Rule type*: eql + +*Rule indices*: + +* endgame-* +* logs-endpoint.events.process-* +* winlogbeat-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Masquerade Task or Service +** ID: T1036.004 +** Reference URL: https://attack.mitre.org/techniques/T1036/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc new file mode 100644 index 0000000000..98a74b9308 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-9-10-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain]] +=== Machine Learning Detected DGA activity using a known SUNBURST DNS domain + +A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* +* logs-network_traffic.* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Domain: Network +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-macos-installer-package-spawns-network-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-macos-installer-package-spawns-network-event.asciidoc new file mode 100644 index 0000000000..fae34600b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-macos-installer-package-spawns-network-event.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-9-10-macos-installer-package-spawns-network-event]] +=== MacOS Installer Package Spawns Network Event + +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://redcanary.com/blog/clipping-silver-sparrows-wings +* https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 +* https://github.com/D00MFist/Mystikal + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.id with maxspan=30s +[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] +[network where host.os.type == "macos" and event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-malicious-remote-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-malicious-remote-file-creation.asciidoc new file mode 100644 index 0000000000..3618ea545d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-malicious-remote-file-creation.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-malicious-remote-file-creation]] +=== Malicious Remote File Creation + +Malicious remote file creation, which can be an indicator of lateral movement activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Domain: Endpoint +* Use Case: Lateral Movement Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.name +[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")] +[file where event.category == "malware" or event.category == "intrusion_detection" +and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-modification-of-environment-variable-via-launchctl.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-modification-of-environment-variable-via-launchctl.asciidoc new file mode 100644 index 0000000000..f66a4e0580 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-modification-of-environment-variable-via-launchctl.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-9-10-modification-of-environment-variable-via-launchctl]] +=== Modification of Environment Variable via Launchctl + +Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name:launchctl and + process.args:(setenv and not (ANT_HOME or + DBUS_LAUNCHD_SESSION_BUS_SOCKET or + EDEN_ENV or + LG_WEBOS_TV_SDK_HOME or + RUNTIME_JAVA_HOME or + WEBOS_CLI_TV or + JAVA*_HOME) and + not *.vmoptions) and + not process.parent.executable:("/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper" or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /usr/local/bin/kr) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Path Interception by PATH Environment Variable +** ID: T1574.007 +** Reference URL: https://attack.mitre.org/techniques/T1574/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-modification-of-safari-settings-via-defaults-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-modification-of-safari-settings-via-defaults-command.asciidoc new file mode 100644 index 0000000000..f957ba31d1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-modification-of-safari-settings-via-defaults-command.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-9-10-modification-of-safari-settings-via-defaults-command]] +=== Modification of Safari Settings via Defaults Command + +Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name:defaults and process.args: + (com.apple.Safari and write and not + ( + UniversalSearchEnabled or + SuppressSearchSuggestions or + WebKitTabToLinksPreferenceKey or + ShowFullURLInSmartSearchField or + com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-okta-fastpass-phishing-detection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-okta-fastpass-phishing-detection.asciidoc new file mode 100644 index 0000000000..60164aedbd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-okta-fastpass-phishing-detection.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-9-10-okta-fastpass-phishing-detection]] +=== Okta FastPass Phishing Detection + +Detects when Okta FastPass prevents a user from authenticating to a phishing website. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://sec.okta.com/fastpassphishingdetection +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection + +*Tags*: + +* Tactic: Initial Access +* Use Case: Identity and Access Audit +* Data Source: Okta + +*Version*: 3 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.category:authentication and + okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-directoryservice-plugin-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-directoryservice-plugin-modification.asciidoc new file mode 100644 index 0000000000..c1702d80db --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-directoryservice-plugin-modification.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-9-10-persistence-via-directoryservice-plugin-modification]] +=== Persistence via DirectoryService Plugin Modification + +Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:deletion and + file.path:/Library/DirectoryServices/PlugIns/*.dsplug + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-docker-shortcut-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-docker-shortcut-modification.asciidoc new file mode 100644 index 0000000000..2975dc0252 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-docker-shortcut-modification.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-persistence-via-docker-shortcut-modification]] +=== Persistence via Docker Shortcut Modification + +An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and event.action:modification and + file.path:/Users/*/Library/Preferences/com.apple.dock.plist and + not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-folder-action-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-folder-action-script.asciidoc new file mode 100644 index 0000000000..f7718b36f3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-folder-action-script.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-9-10-persistence-via-folder-action-script]] +=== Persistence via Folder Action Script + +Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and + not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt" + ] by process.parent.pid + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-login-or-logout-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-login-or-logout-hook.asciidoc new file mode 100644 index 0000000000..004a4a3fa5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-persistence-via-login-or-logout-hook.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-9-10-persistence-via-login-or-logout-hook]] +=== Persistence via Login or Logout Hook + +Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf +* https://www.manpagez.com/man/1/defaults/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and + process.name == "defaults" and process.args == "write" and process.args : ("LoginHook", "LogoutHook") and + not process.args : + ( + "Support/JAMF/ManagementFrameworkScripts/logouthook.sh", + "Support/JAMF/ManagementFrameworkScripts/loginhook.sh", + "/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh", + "/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-admin-group-account-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-admin-group-account-addition.asciidoc new file mode 100644 index 0000000000..f69e3f4325 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-admin-group-account-addition.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-9-10-potential-admin-group-account-addition]] +=== Potential Admin Group Account Addition + +Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin" or admin) and ("-a" or "-append")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc new file mode 100644 index 0000000000..3f844c188d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-destination-port]] +=== Potential Data Exfiltration Activity to an Unusual Destination Port + +A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc new file mode 100644 index 0000000000..ccec76126f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-ip-address]] +=== Potential Data Exfiltration Activity to an Unusual IP Address + +A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc new file mode 100644 index 0000000000..8f625ce0a9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-iso-code]] +=== Potential Data Exfiltration Activity to an Unusual ISO Code + +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc new file mode 100644 index 0000000000..ec7f8e7448 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-region]] +=== Potential Data Exfiltration Activity to an Unusual Region + +A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-6h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-dga-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-dga-activity.asciidoc new file mode 100644 index 0000000000..c65e39d31d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-dga-activity.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-potential-dga-activity]] +=== Potential DGA Activity + +A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/dga + +*Tags*: + +* Use Case: Domain Generation Algorithm Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-hidden-local-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-hidden-local-user-account-creation.asciidoc new file mode 100644 index 0000000000..1517379244 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-hidden-local-user-account-creation.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-9-10-potential-hidden-local-user-account-creation]] +=== Potential Hidden Local User Account Creation + +Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.apple.com/en-us/HT203998 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-kerberos-attack-via-bifrost.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-kerberos-attack-via-bifrost.asciidoc new file mode 100644 index 0000000000..f1de453558 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-kerberos-attack-via-bifrost.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-9-10-potential-kerberos-attack-via-bifrost]] +=== Potential Kerberos Attack via Bifrost + +Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/its-a-feature/bifrost + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab)))) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Pass the Ticket +** ID: T1550.003 +** Reference URL: https://attack.mitre.org/techniques/T1550/003/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-macos-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-macos-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..b9d271caa5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-macos-ssh-brute-force-detected.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-9-10-potential-macos-ssh-brute-force-detected]] +=== Potential macOS SSH Brute Force Detected + +Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-microsoft-office-sandbox-evasion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-microsoft-office-sandbox-evasion.asciidoc new file mode 100644 index 0000000000..4b77249bcd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-microsoft-office-sandbox-evasion.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-potential-microsoft-office-sandbox-evasion]] +=== Potential Microsoft Office Sandbox Evasion + +Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf +* https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/ +* https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Virtualization/Sandbox Evasion +** ID: T1497 +** Reference URL: https://attack.mitre.org/techniques/T1497/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-atom-init-script-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-atom-init-script-modification.asciidoc new file mode 100644 index 0000000000..bcb9540ff7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-atom-init-script-modification.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-potential-persistence-via-atom-init-script-modification]] +=== Potential Persistence via Atom Init Script Modification + +Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js +* https://flight-manual.atom.io/hacking-atom/sections/the-init-file/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:"deletion" and + file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-login-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-login-hook.asciidoc new file mode 100644 index 0000000000..60dffd9593 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-login-hook.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-9-10-potential-persistence-via-login-hook]] +=== Potential Persistence via Login Hook + +Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:"deletion" and + file.name:"com.apple.loginwindow.plist" and + process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor" +)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Plist File Modification +** ID: T1647 +** Reference URL: https://attack.mitre.org/techniques/T1647/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-periodic-tasks.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-periodic-tasks.asciidoc new file mode 100644 index 0000000000..288700eafb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-persistence-via-periodic-tasks.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-9-10-potential-persistence-via-periodic-tasks]] +=== Potential Persistence via Periodic Tasks + +Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html +* https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html +* https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:"deletion" and + file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc new file mode 100644 index 0000000000..d5986e50c2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-localhost-secure-copy]] +=== Potential Privacy Control Bypass via Localhost Secure Copy + +Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.name:"scp" and + process.args:"StrictHostKeyChecking=no" and + process.command_line:("scp *localhost:/*", "scp *127.0.0.1:/*") and + not process.args:"vagrant@*127.0.0.1*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-tccdb-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-tccdb-modification.asciidoc new file mode 100644 index 0000000000..3641219f9a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-tccdb-modification.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-tccdb-modification]] +=== Potential Privacy Control Bypass via TCCDB Modification + +Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ +* https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh +* https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and + process.args : "/*/Application Support/com.apple.TCC/TCC.db" and + not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-privilege-escalation-via-root-crontab-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-privilege-escalation-via-root-crontab-file-modification.asciidoc new file mode 100644 index 0000000000..55b5bfe32b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-privilege-escalation-via-root-crontab-file-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-9-10-privilege-escalation-via-root-crontab-file-modification]] +=== Privilege Escalation via Root Crontab File Modification + +Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc +* https://www.exploit-db.com/exploits/42146 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:deletion and + file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-prompt-for-credentials-with-osascript.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-prompt-for-credentials-with-osascript.asciidoc new file mode 100644 index 0000000000..052f4ecf16 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-prompt-for-credentials-with-osascript.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-9-10-prompt-for-credentials-with-osascript]] +=== Prompt for Credentials with OSASCRIPT + +Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py +* https://ss64.com/osx/osascript.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*display dialog*password*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: GUI Input Capture +** ID: T1056.002 +** Reference URL: https://attack.mitre.org/techniques/T1056/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-execution-via-file-shares.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-execution-via-file-shares.asciidoc new file mode 100644 index 0000000000..88b0992a3d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-execution-via-file-shares.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-9-10-remote-execution-via-file-shares]] +=== Remote Execution via File Shares + +Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote Execution via File Shares + +Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges needed to write to the network share and restrict write access as needed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-file-copy-via-teamviewer.asciidoc new file mode 100644 index 0000000000..647b831fca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-file-copy-via-teamviewer.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-9-10-remote-file-copy-via-teamviewer]] +=== Remote File Copy via TeamViewer + +Identifies an executable or script file remotely downloaded via a TeamViewer transfer session. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Copy via TeamViewer + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files. + +TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Contact the user to gather information about who and why was conducting the remote access. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and + file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") and + not + ( + file.path : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js", + "?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe" + ) and process.code_signature.trusted == true + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Technique: +** Name: Remote Access Software +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-file-creation-on-a-sensitive-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-file-creation-on-a-sensitive-directory.asciidoc new file mode 100644 index 0000000000..3bf62fffec --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-file-creation-on-a-sensitive-directory.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-9-10-remote-file-creation-on-a-sensitive-directory]] +=== Remote File Creation on a Sensitive Directory + +Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these directories could indicate a malicious binary or script trying to compromise the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security + +*Tags*: + +* Domain: Endpoint +* Use Case: Lateral Movement Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where (event.action == "creation" or event.action == "modification") and +process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not +user.name:("SYSTEM", "root") and +(file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*", + "C*\\Windows\\*", "C*\\Windows\\System\\*", + "C*\\Windows\\System32\\*", "/etc/*", "/tmp*", + "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*", + "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*", + "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*", + "/lib/systemd/*" + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-ssh-login-enabled-via-systemsetup-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-ssh-login-enabled-via-systemsetup-command.asciidoc new file mode 100644 index 0000000000..b6e773ce5b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-remote-ssh-login-enabled-via-systemsetup-command.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-9-10-remote-ssh-login-enabled-via-systemsetup-command]] +=== Remote SSH Login Enabled via systemsetup Command + +Detects use of the systemsetup command to enable remote SSH Login. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf +* https://ss64.com/osx/systemsetup.html +* https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:systemsetup and + process.args:("-setremotelogin" and on) and + not process.parent.executable : /usr/local/jamf/bin/jamf + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-screensaver-plist-file-modified-by-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-screensaver-plist-file-modified-by-unexpected-process.asciidoc new file mode 100644 index 0000000000..5d2b3436ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-screensaver-plist-file-modified-by-unexpected-process.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-9-10-screensaver-plist-file-modified-by-unexpected-process]] +=== Screensaver Plist File Modified by Unexpected Process + +Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/saving-your-access-d562bf5bf90b +* https://github.com/D00MFist/PersistentJXA + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the plist file modification event to identify whether the change was expected or not +- Investigate the process that modified the plist file for malicious code or other suspicious behavior +- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.name: "com.apple.screensaver.*.plist" and + file.path : ( + "/Users/*/Library/Preferences/ByHost/*", + "/Library/Managed Preferences/*", + "/System/Library/Preferences/*" + ) and + ( + process.code_signature.trusted == false or + process.code_signature.exists == false or + + /* common script interpreters and abused native macOS bins */ + process.name : ( + "curl", + "mktemp", + "tail", + "funzip", + "python*", + "osascript", + "perl" + ) + ) and + + /* Filter OS processes modifying screensaver plist files */ + not process.executable : ( + "/usr/sbin/cfprefsd", + "/usr/libexec/xpcproxy", + "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor", + "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-shell-execution-via-apple-scripting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-shell-execution-via-apple-scripting.asciidoc new file mode 100644 index 0000000000..f2016dbd0f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-shell-execution-via-apple-scripting.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-9-10-shell-execution-via-apple-scripting]] +=== Shell Execution via Apple Scripting + +Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/technotes/tn2065/_index.html +* https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-softwareupdate-preferences-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-softwareupdate-preferences-modification.asciidoc new file mode 100644 index 0000000000..965ed3f3e4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-softwareupdate-preferences-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-9-10-softwareupdate-preferences-modification]] +=== SoftwareUpdate Preferences Modification + +Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:defaults and + process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc new file mode 100644 index 0000000000..1a3b29e88f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device-via-airdrop]] +=== Spike in Bytes Sent to an External Device via Airdrop + +A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Other Network Medium +** ID: T1011 +** Reference URL: https://attack.mitre.org/techniques/T1011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device.asciidoc new file mode 100644 index 0000000000..74e321c47a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device]] +=== Spike in Bytes Sent to an External Device + +A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-connections-made-from-a-source-ip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-connections-made-from-a-source-ip.asciidoc new file mode 100644 index 0000000000..2895ba11d6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-connections-made-from-a-source-ip.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-spike-in-number-of-connections-made-from-a-source-ip]] +=== Spike in Number of Connections Made from a Source IP + +A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc new file mode 100644 index 0000000000..cca562505b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-spike-in-number-of-connections-made-to-a-destination-ip]] +=== Spike in Number of Connections Made to a Destination IP + +A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-processes-in-an-rdp-session.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-processes-in-an-rdp-session.asciidoc new file mode 100644 index 0000000000..5db710cad9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-number-of-processes-in-an-rdp-session.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-spike-in-number-of-processes-in-an-rdp-session]] +=== Spike in Number of Processes in an RDP Session + +A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-remote-file-transfers.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-remote-file-transfers.asciidoc new file mode 100644 index 0000000000..d166d200ef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-spike-in-remote-file-transfers.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-spike-in-remote-file-transfers]] +=== Spike in Remote File Transfers + +A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-90m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-sublime-plugin-or-application-script-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-sublime-plugin-or-application-script-modification.asciidoc new file mode 100644 index 0000000000..00a36acbb9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-sublime-plugin-or-application-script-modification.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-9-10-sublime-plugin-or-application-script-modification]] +=== Sublime Plugin or Application Script Modification + +Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and + file.path : + ( + "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", + "/Applications/Sublime Text.app/Contents/MacOS/sublime.py" + ) and + not process.executable : + ( + "/Applications/Sublime Text*.app/Contents/*", + "/usr/local/Cellar/git/*/bin/git", + "/Library/Developer/CommandLineTools/usr/bin/git", + "/usr/libexec/xpcproxy", + "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-automator-workflows-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-automator-workflows-execution.asciidoc new file mode 100644 index 0000000000..84e2eb8c78 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-automator-workflows-execution.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-suspicious-automator-workflows-execution]] +=== Suspicious Automator Workflows Execution + +Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=30s + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "automator"] + [network where host.os.type == "macos" and process.name:"com.apple.automator.runner"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-browser-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-browser-child-process.asciidoc new file mode 100644 index 0000000000..81e2af133b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-browser-child-process.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-9-10-suspicious-browser-child-process]] +=== Suspicious Browser Child Process + +Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x43.html +* https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.parent.name : ("Google Chrome", "Google Chrome Helper*", "firefox", "Opera", "Safari", "com.apple.WebKit.WebContent", "Microsoft Edge") and + process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*", "osascript", "pwsh") and + process.command_line != null and + not process.command_line : "*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*" and + not process.args : + ( + "hw.model", + "IOPlatformExpertDevice", + "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh", + "--defaults-torrc", + "*Chrome.app", + "Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh", + "/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery", + "$DISPLAY", + "*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*", + "/opt/homebrew/*", + "/usr/local/*brew*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Drive-by Compromise +** ID: T1189 +** Reference URL: https://attack.mitre.org/techniques/T1189/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-calendar-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-calendar-file-modification.asciidoc new file mode 100644 index 0000000000..d1bb10cb46 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-calendar-file-modification.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-9-10-suspicious-calendar-file-modification]] +=== Suspicious Calendar File Modification + +Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos +* https://github.com/FSecureLABS/CalendarPersist +* https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and event.action:modification and + file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and + process.executable: + (* and not + ( + /System/Library/* or + /System/Applications/Calendar.app/Contents/MacOS/* or + /System/Applications/Mail.app/Contents/MacOS/Mail or + /usr/libexec/xpcproxy or + /sbin/launchd or + /Applications/* + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc new file mode 100644 index 0000000000..53e964b14a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-9-10-suspicious-child-process-of-adobe-acrobat-reader-update-service]] +=== Suspicious Child Process of Adobe Acrobat Reader Update Service + +Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and + user.name:root and + not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or + /usr/bin/codesign or + /private/var/folders/zz/*/T/download/ARMDCHammer or + /usr/sbin/pkgutil or + /usr/bin/shasum or + /usr/bin/perl* or + /usr/sbin/spctl or + /usr/sbin/installer or + /usr/bin/csrutil) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-crontab-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-crontab-creation-or-modification.asciidoc new file mode 100644 index 0000000000..1b33d76e66 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-crontab-creation-or-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-9-10-suspicious-crontab-creation-or-modification]] +=== Suspicious CronTab Creation or Modification + +Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf +* https://theevilbit.github.io/beyond/beyond_0004/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and process.name != null and + file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-emond-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-emond-child-process.asciidoc new file mode 100644 index 0000000000..1955302f13 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-emond-child-process.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-9-10-suspicious-emond-child-process]] +=== Suspicious Emond Child Process + +Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.xorrior.com/emond-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.parent.name : "emond" and + process.name : ( + "bash", + "dash", + "sh", + "tcsh", + "csh", + "zsh", + "ksh", + "fish", + "Python", + "python*", + "perl*", + "php*", + "osascript", + "pwsh", + "curl", + "wget", + "cp", + "mv", + "touch", + "echo", + "base64", + "launchctl") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Emond +** ID: T1546.014 +** Reference URL: https://attack.mitre.org/techniques/T1546/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-hidden-child-process-of-launchd.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-hidden-child-process-of-launchd.asciidoc new file mode 100644 index 0000000000..ee83e5b6d7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-hidden-child-process-of-launchd.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-9-10-suspicious-hidden-child-process-of-launchd]] +=== Suspicious Hidden Child Process of Launchd + +Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x61.html +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:.* and process.parent.executable:/sbin/launchd + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-macos-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-macos-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..5efac132e7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-macos-ms-office-child-process.asciidoc @@ -0,0 +1,99 @@ +[[prebuilt-rule-8-9-10-suspicious-macos-ms-office-child-process]] +=== Suspicious macOS MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and + process.name: + ( + "bash", + "dash", + "sh", + "tcsh", + "csh", + "zsh", + "ksh", + "fish", + "python*", + "perl*", + "php*", + "osascript", + "pwsh", + "curl", + "wget", + "cp", + "mv", + "base64", + "launchctl" + ) and + /* noisy false positives related to product version discovery and office errors reporting */ + not process.args: + ( + "ProductVersion", + "hw.model", + "ioreg", + "ProductName", + "ProductUserVisibleVersion", + "ProductBuildVersion", + "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-managed-code-hosting-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-managed-code-hosting-process.asciidoc new file mode 100644 index 0000000000..d46b1e609d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-managed-code-hosting-process.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-9-10-suspicious-managed-code-hosting-process]] +=== Suspicious Managed Code Hosting Process + +Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.type == "start" and + process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] + [file where host.os.type == "windows" and event.type != "deletion" and + file.name : ("wscript.exe.log", + "cscript.exe.log", + "mshta.exe.log", + "wmic.exe.log", + "svchost.exe.log", + "dllhost.exe.log", + "cmstp.exe.log", + "regsvr32.exe.log")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-werfault-child-process.asciidoc new file mode 100644 index 0000000000..1c3fe150ba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-werfault-child-process.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-9-10-suspicious-werfault-child-process]] +=== Suspicious WerFault Child Process + +A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ +* https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +* http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + + process.parent.name : "WerFault.exe" and + + /* args -s and -t used to execute a process via SilentProcessExit mechanism */ + (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and + + not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc new file mode 100644 index 0000000000..bba0813502 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-host]] +=== Suspicious Windows Process Cluster Spawned by a Host + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc new file mode 100644 index 0000000000..ba841b4882 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-parent-process]] +=== Suspicious Windows Process Cluster Spawned by a Parent Process + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc new file mode 100644 index 0000000000..fb1f89f29f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-user]] +=== Suspicious Windows Process Cluster Spawned by a User + +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-systemkey-access-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-systemkey-access-via-command-line.asciidoc new file mode 100644 index 0000000000..f5309c2f6d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-systemkey-access-via-command-line.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-9-10-systemkey-access-via-command-line]] +=== SystemKey Access via Command Line + +Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.args:("/private/var/db/SystemKey" or "/var/db/SystemKey") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc new file mode 100644 index 0000000000..6ae1cf6316 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-9-10-tcc-bypass-via-mounted-apfs-snapshot-access]] +=== TCC Bypass via Mounted APFS Snapshot Access + +Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple’s privacy framework (TCC). + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://theevilbit.github.io/posts/cve_2020_9771/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and + process.args:(/System/Volumes/Data and noowners) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Direct Volume Access +** ID: T1006 +** Reference URL: https://attack.mitre.org/techniques/T1006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unexpected-child-process-of-macos-screensaver-engine.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unexpected-child-process-of-macos-screensaver-engine.asciidoc new file mode 100644 index 0000000000..81e89b3402 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unexpected-child-process-of-macos-screensaver-engine.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-9-10-unexpected-child-process-of-macos-screensaver-engine]] +=== Unexpected Child Process of macOS Screensaver Engine + +Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/saving-your-access-d562bf5bf90b +* https://github.com/D00MFist/PersistentJXA + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such +as a download of a payload from a server. +- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to +identify whether the file is malicious or not. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Screensaver +** ID: T1546.002 +** Reference URL: https://attack.mitre.org/techniques/T1546/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-host.asciidoc new file mode 100644 index 0000000000..f26121e765 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-host.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-9-10-unusual-process-spawned-by-a-host]] +=== Unusual Process Spawned by a Host + +A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-parent-process.asciidoc new file mode 100644 index 0000000000..1cf28e2154 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-parent-process.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-9-10-unusual-process-spawned-by-a-parent-process]] +=== Unusual Process Spawned by a Parent Process + +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-user.asciidoc new file mode 100644 index 0000000000..14f2e2704f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-spawned-by-a-user.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-9-10-unusual-process-spawned-by-a-user]] +=== Unusual Process Spawned by a User + +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-45m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/problemchild +* https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Living off the Land Attack Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-writing-data-to-an-external-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-writing-data-to-an-external-device.asciidoc new file mode 100644 index 0000000000..e76fadbc18 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-process-writing-data-to-an-external-device.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-unusual-process-writing-data-to-an-external-device]] +=== Unusual Process Writing Data to an External Device + +A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-2h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/ded + +*Tags*: + +* Use Case: Data Exfiltration Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-directory.asciidoc new file mode 100644 index 0000000000..cd3bd5900f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-directory.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-unusual-remote-file-directory]] +=== Unusual Remote File Directory + +An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-90m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-extension.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-extension.asciidoc new file mode 100644 index 0000000000..62026a3f05 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-extension.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-unusual-remote-file-extension]] +=== Unusual Remote File Extension + +An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-90m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-size.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-size.asciidoc new file mode 100644 index 0000000000..1ef9abd596 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-remote-file-size.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-unusual-remote-file-size]] +=== Unusual Remote File Size + +A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-90m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-time-or-day-for-an-rdp-session.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-time-or-day-for-an-rdp-session.asciidoc new file mode 100644 index 0000000000..39571ea25f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-unusual-time-or-day-for-an-rdp-session.asciidoc @@ -0,0 +1,58 @@ +[[prebuilt-rule-8-9-10-unusual-time-or-day-for-an-rdp-session]] +=== Unusual Time or Day for an RDP Session + +A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack. + +*Rule type*: machine_learning + +*Rule indices*: None + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 15m + +*Searches indices from*: now-12h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/lmd + +*Tags*: + +* Use Case: Lateral Movement Detection +* Rule Type: ML +* Rule Type: Machine Learning +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-virtual-private-network-connection-attempt.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-virtual-private-network-connection-attempt.asciidoc new file mode 100644 index 0000000000..67f089cdb0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-virtual-private-network-connection-attempt.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-9-10-virtual-private-network-connection-attempt]] +=== Virtual Private Network Connection Attempt + +Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb +* https://www.unix.com/man-page/osx/8/networksetup/ +* https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + (process.name : "networksetup" and process.args : "-connectpppoeservice") or + (process.name : "scutil" and process.args : "--nc" and process.args : "start") or + (process.name : "osascript" and process.command_line : "osascript*set VPN to service*") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-webproxy-settings-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-webproxy-settings-modification.asciidoc new file mode 100644 index 0000000000..714ba97852 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rule-8-9-10-webproxy-settings-modification.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-9-10-webproxy-settings-modification]] +=== WebProxy Settings Modification + +Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ +* https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and + not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or + "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or + "/usr/libexec/xpcproxy") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rules-8-9-10-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rules-8-9-10-appendix.asciidoc new file mode 100644 index 0000000000..eda31e083f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rules-8-9-10-appendix.asciidoc @@ -0,0 +1,107 @@ +["appendix",role="exclude",id="prebuilt-rule-8-9-10-prebuilt-rules-8-9-10-appendix"] += Downloadable rule update v8.9.10 + +This section lists all updates associated with version 8.9.10 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-9-10-malicious-remote-file-creation.asciidoc[] +include::prebuilt-rule-8-9-10-remote-file-creation-on-a-sensitive-directory.asciidoc[] +include::prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc[] +include::prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc[] +include::prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc[] +include::prebuilt-rule-8-9-10-potential-data-exfiltration-activity-to-an-unusual-region.asciidoc[] +include::prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device.asciidoc[] +include::prebuilt-rule-8-9-10-spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc[] +include::prebuilt-rule-8-9-10-unusual-process-writing-data-to-an-external-device.asciidoc[] +include::prebuilt-rule-8-9-10-machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc[] +include::prebuilt-rule-8-9-10-potential-dga-activity.asciidoc[] +include::prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc[] +include::prebuilt-rule-8-9-10-machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc[] +include::prebuilt-rule-8-9-10-high-mean-of-process-arguments-in-an-rdp-session.asciidoc[] +include::prebuilt-rule-8-9-10-high-mean-of-rdp-session-duration.asciidoc[] +include::prebuilt-rule-8-9-10-unusual-remote-file-size.asciidoc[] +include::prebuilt-rule-8-9-10-high-variance-in-rdp-session-duration.asciidoc[] +include::prebuilt-rule-8-9-10-unusual-remote-file-directory.asciidoc[] +include::prebuilt-rule-8-9-10-unusual-remote-file-extension.asciidoc[] +include::prebuilt-rule-8-9-10-spike-in-number-of-connections-made-from-a-source-ip.asciidoc[] +include::prebuilt-rule-8-9-10-spike-in-number-of-connections-made-to-a-destination-ip.asciidoc[] +include::prebuilt-rule-8-9-10-spike-in-number-of-processes-in-an-rdp-session.asciidoc[] +include::prebuilt-rule-8-9-10-spike-in-remote-file-transfers.asciidoc[] +include::prebuilt-rule-8-9-10-unusual-time-or-day-for-an-rdp-session.asciidoc[] +include::prebuilt-rule-8-9-10-okta-fastpass-phishing-detection.asciidoc[] +include::prebuilt-rule-8-9-10-unusual-process-spawned-by-a-host.asciidoc[] +include::prebuilt-rule-8-9-10-unusual-process-spawned-by-a-parent-process.asciidoc[] +include::prebuilt-rule-8-9-10-unusual-process-spawned-by-a-user.asciidoc[] +include::prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc[] +include::prebuilt-rule-8-9-10-machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-host.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-windows-process-cluster-spawned-by-a-user.asciidoc[] +include::prebuilt-rule-8-9-10-first-time-seen-newcredentials-logon-process.asciidoc[] +include::prebuilt-rule-8-9-10-access-of-stored-browser-credentials.asciidoc[] +include::prebuilt-rule-8-9-10-access-to-keychain-credentials-directories.asciidoc[] +include::prebuilt-rule-8-9-10-dumping-account-hashes-via-built-in-commands.asciidoc[] +include::prebuilt-rule-8-9-10-dumping-of-keychain-content-via-security-command.asciidoc[] +include::prebuilt-rule-8-9-10-kerberos-cached-credentials-dumping.asciidoc[] +include::prebuilt-rule-8-9-10-keychain-password-retrieval-via-command-line.asciidoc[] +include::prebuilt-rule-8-9-10-webproxy-settings-modification.asciidoc[] +include::prebuilt-rule-8-9-10-potential-macos-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-9-10-prompt-for-credentials-with-osascript.asciidoc[] +include::prebuilt-rule-8-9-10-systemkey-access-via-command-line.asciidoc[] +include::prebuilt-rule-8-9-10-softwareupdate-preferences-modification.asciidoc[] +include::prebuilt-rule-8-9-10-attempt-to-remove-file-quarantine-attribute.asciidoc[] +include::prebuilt-rule-8-9-10-attempt-to-disable-gatekeeper.asciidoc[] +include::prebuilt-rule-8-9-10-attempt-to-install-root-certificate.asciidoc[] +include::prebuilt-rule-8-9-10-modification-of-environment-variable-via-launchctl.asciidoc[] +include::prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-tccdb-modification.asciidoc[] +include::prebuilt-rule-8-9-10-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc[] +include::prebuilt-rule-8-9-10-modification-of-safari-settings-via-defaults-command.asciidoc[] +include::prebuilt-rule-8-9-10-potential-microsoft-office-sandbox-evasion.asciidoc[] +include::prebuilt-rule-8-9-10-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc[] +include::prebuilt-rule-8-9-10-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc[] +include::prebuilt-rule-8-9-10-enumeration-of-users-or-groups-via-built-in-commands.asciidoc[] +include::prebuilt-rule-8-9-10-execution-via-electron-child-process-node-js-module.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-browser-child-process.asciidoc[] +include::prebuilt-rule-8-9-10-macos-installer-package-spawns-network-event.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-automator-workflows-execution.asciidoc[] +include::prebuilt-rule-8-9-10-apple-script-execution-followed-by-network-connection.asciidoc[] +include::prebuilt-rule-8-9-10-shell-execution-via-apple-scripting.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-macos-ms-office-child-process.asciidoc[] +include::prebuilt-rule-8-9-10-potential-kerberos-attack-via-bifrost.asciidoc[] +include::prebuilt-rule-8-9-10-attempt-to-mount-smb-share-via-command-line.asciidoc[] +include::prebuilt-rule-8-9-10-remote-ssh-login-enabled-via-systemsetup-command.asciidoc[] +include::prebuilt-rule-8-9-10-virtual-private-network-connection-attempt.asciidoc[] +include::prebuilt-rule-8-9-10-potential-hidden-local-user-account-creation.asciidoc[] +include::prebuilt-rule-8-9-10-launch-agent-creation-or-modification-and-immediate-loading.asciidoc[] +include::prebuilt-rule-8-9-10-creation-of-hidden-login-item-via-apple-script.asciidoc[] +include::prebuilt-rule-8-9-10-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc[] +include::prebuilt-rule-8-9-10-authorization-plugin-modification.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-crontab-creation-or-modification.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-hidden-child-process-of-launchd.asciidoc[] +include::prebuilt-rule-8-9-10-persistence-via-directoryservice-plugin-modification.asciidoc[] +include::prebuilt-rule-8-9-10-persistence-via-docker-shortcut-modification.asciidoc[] +include::prebuilt-rule-8-9-10-emond-rules-creation-or-modification.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-emond-child-process.asciidoc[] +include::prebuilt-rule-8-9-10-attempt-to-enable-the-root-account.asciidoc[] +include::prebuilt-rule-8-9-10-creation-of-hidden-launch-agent-or-daemon.asciidoc[] +include::prebuilt-rule-8-9-10-finder-sync-plugin-registered-and-enabled.asciidoc[] +include::prebuilt-rule-8-9-10-persistence-via-folder-action-script.asciidoc[] +include::prebuilt-rule-8-9-10-persistence-via-login-or-logout-hook.asciidoc[] +include::prebuilt-rule-8-9-10-potential-persistence-via-login-hook.asciidoc[] +include::prebuilt-rule-8-9-10-sublime-plugin-or-application-script-modification.asciidoc[] +include::prebuilt-rule-8-9-10-potential-persistence-via-periodic-tasks.asciidoc[] +include::prebuilt-rule-8-9-10-unexpected-child-process-of-macos-screensaver-engine.asciidoc[] +include::prebuilt-rule-8-9-10-screensaver-plist-file-modified-by-unexpected-process.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-calendar-file-modification.asciidoc[] +include::prebuilt-rule-8-9-10-potential-persistence-via-atom-init-script-modification.asciidoc[] +include::prebuilt-rule-8-9-10-apple-scripting-execution-with-administrator-privileges.asciidoc[] +include::prebuilt-rule-8-9-10-execution-with-explicit-credentials-via-scripting.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc[] +include::prebuilt-rule-8-9-10-potential-admin-group-account-addition.asciidoc[] +include::prebuilt-rule-8-9-10-privilege-escalation-via-root-crontab-file-modification.asciidoc[] +include::prebuilt-rule-8-9-10-remote-file-copy-via-teamviewer.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-werfault-child-process.asciidoc[] +include::prebuilt-rule-8-9-10-suspicious-managed-code-hosting-process.asciidoc[] +include::prebuilt-rule-8-9-10-remote-execution-via-file-shares.asciidoc[] +include::prebuilt-rule-8-9-10-account-configured-with-never-expiring-password.asciidoc[] +include::prebuilt-rule-8-9-10-creation-of-a-hidden-local-user-account.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rules-8-9-10-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rules-8-9-10-summary.asciidoc new file mode 100644 index 0000000000..c27ebe6a69 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-9-10/prebuilt-rules-8-9-10-summary.asciidoc @@ -0,0 +1,214 @@ +[[prebuilt-rule-8-9-10-prebuilt-rules-8-9-10-summary]] +[role="xpack"] +== Update v8.9.10 + +This section lists all updates associated with version 8.9.10 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Malicious remote file creation, which can be an indicator of lateral movement activity. | new | 1 + +|<> | Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these directories could indicate a malicious binary or script trying to compromise the system. | new | 1 + +|<> | A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | new | 1 + +|<> | A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | new | 1 + +|<> | A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | new | 1 + +|<> | A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. | new | 1 + +|<> | A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. | new | 1 + +|<> | A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities. | new | 1 + +|<> | A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration. | new | 1 + +|<> | A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm. | new | 1 + +|<> | A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity. | new | 1 + +|<> | A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity. | new | 1 + +|<> | A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity. | new | 1 + +|<> | A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command. | new | 1 + +|<> | A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. | new | 1 + +|<> | A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer. | new | 1 + +|<> | A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. | new | 1 + +|<> | An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring. | new | 1 + +|<> | An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host. | new | 1 + +|<> | A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points. | new | 1 + +|<> | A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked. | new | 1 + +|<> | A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity. | new | 1 + +|<> | A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection. | new | 1 + +|<> | A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack. | new | 1 + +|<> | Detects when Okta FastPass prevents a user from authenticating to a phishing website. | new | 3 + +|<> | A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<> | A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<> | A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<> | A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. | new | 1 + +|<> | A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious. | new | 1 + +|<> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<> | A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. | new | 1 + +|<> | Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions. | new | 1 + +|<> | Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. | update | 106 + +|<> | Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. | update | 106 + +|<> | Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement. | update | 105 + +|<> | Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. | update | 106 + +|<> | Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement. | update | 105 + +|<> | Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. | update | 106 + +|<> | Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. | update | 105 + +|<> | Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. | update | 106 + +|<> | Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. | update | 106 + +|<> | Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials. | update | 105 + +|<> | Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates. | update | 105 + +|<> | Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. | update | 106 + +|<> | Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code. | update | 105 + +|<> | Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. | update | 105 + +|<> | Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. | update | 105 + +|<> | Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. | update | 106 + +|<> | Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files. | update | 106 + +|<> | Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser. | update | 105 + +|<> | Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. | update | 105 + +|<> | Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple’s privacy framework (TCC). | update | 105 + +|<> | Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command. | update | 105 + +|<> | Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. | update | 106 + +|<> | Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes. | update | 105 + +|<> | Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation. | update | 105 + +|<> | Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. | update | 105 + +|<> | Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript. | update | 105 + +|<> | Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control. | update | 105 + +|<> | Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. | update | 105 + +|<> | Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. | update | 105 + +|<> | Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting. | update | 105 + +|<> | Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB. | update | 106 + +|<> | Detects use of the systemsetup command to enable remote SSH Login. | update | 105 + +|<> | Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network. | update | 106 + +|<