diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc new file mode 100644 index 0000000000..67caad5712 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-13-12-attempts-to-brute-force-a-microsoft-365-user-account]] +=== Attempts to Brute Force a Microsoft 365 User Account + +Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem +* https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties + +*Tags*: + +* Domain: Cloud +* Domain: SaaS +* Data Source: Microsoft 365 +* Use Case: Identity and Access Audit +* Tactic: Credential Access + +*Version*: 209 + +*Rule authors*: + +* Elastic +* Willem D'Haese +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +==== Setup + + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +from logs-o365.audit-* +| MV_EXPAND event.category +| WHERE event.dataset == "o365.audit" + AND event.category == "authentication" + + // filter only on Entra ID or Exchange audit logs in O365 integration + AND event.provider in ("AzureActiveDirectory", "Exchange") + + // filter only for UserLoginFailed or partial failures + AND event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword") + + // ignore specific logon errors + AND not o365.audit.LogonError in ( + "EntitlementGrantsNotFound", + "UserStrongAuthEnrollmentRequired", + "UserStrongAuthClientAuthNRequired", + "InvalidReplyTo", + "SsoArtifactExpiredDueToConditionalAccess", + "PasswordResetRegistrationRequiredInterrupt", + "SsoUserAccountNotFoundInResourceTenant", + "UserStrongAuthExpired", + "CmsiInterrupt" +) + // filters out non user or application logins based on target + AND o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10") + + // filters only for logins from user or application, ignoring oauth:token + AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike "(.*)login(.*)" + +| STATS + // count the number of failed login attempts target per user + login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError + +| WHERE login_attempt_counts > 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-made-public.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-made-public.asciidoc new file mode 100644 index 0000000000..81ef21a4ee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-made-public.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-13-12-aws-rds-db-instance-made-public]] +=== AWS RDS DB Instance Made Public + +Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence#make-instance-publicly-accessible-rds-modifydbinstance +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-createdbinstance + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS RDS DB Instance Made Public* + + +This rule identifies when an RDS DB instance is created or modified to enable public access. While publicly accessible DB instances are a common practice, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment. + + +*Possible Investigation Steps* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Creation/Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance`, `CreateDBInstance` or `CreateDBCluster` actions where the publiclyAccessible parameter was set to true. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance. +- **Verify the Created/Modified Instance**: Check the DB instance that was created or modified and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this event to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances. + +*False Positive Analysis* + + +- **Legitimate Instance Configuration**: Confirm if the DB instance creation or modification aligns with legitimate tasks. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation* + + +- **Immediate Review and Reversal**: If the change was unauthorized, update the instance attributes to remove public access and restore it to its previous state. Determine whether attached security groups have been modified to allow additional access and revert any unauthorized changes. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege. +- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. + + +*Additional Information:* + + +For further guidance on managing DB instances and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security: +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html[AWS RDS ModifyDBInstance] + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.outcome == "success" + and ( + (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true")) + or + (event.action in ("CreateDBInstance", "CreateDBCluster") and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Sub-technique: +** Name: Conditional Access Policies +** ID: T1556.009 +** Reference URL: https://attack.mitre.org/techniques/T1556/009/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-deletion-protection-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-deletion-protection-disabled.asciidoc new file mode 100644 index 0000000000..94c1e1a154 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-deletion-protection-disabled.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-deletion-protection-disabled]] +=== AWS RDS DB Instance or Cluster Deletion Protection Disabled + +Identifies the modification of an AWS RDS DB instance or cluster to remove the deletionProtection feature. Deletion protection is enabled automatically for instances set up through the console and can be used to protect them from unintentional deletion activity. If disabled an instance or cluster can be deleted, destroying sensitive or critical information. Adversaries with the proper permissions can take advantage of this to set up future deletion events against a compromised environment. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled* + + +This rule identifies when the deletion protection feature is removed from an RDS DB instance or cluster. Removing deletion protection is a prerequisite for deleting a DB instance. Adversaries may exploit this feature to permanently delete data in a compromised environment. + + +*Possible Investigation Steps* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the deletionProtection parameter was changed. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB instance or cluster identifier and any other modifications made to the instance. +- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB instance or cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances. + +*False Positive Analysis* + + +- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation* + + +- **Immediate Review and Reversal**: If the change was unauthorized, reset deletionProtection to true. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege. +- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. + + +*Additional Information:* + + +For further guidance on managing DB instances and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security: +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html[AWS RDS ModifyDBInstance] +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html[Deleting AWS RDS DB Instance] + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.action in ("ModifyDBInstance", "ModifyDBCluster") + and event.outcome == "success" + and stringContains(aws.cloudtrail.request_parameters, "deletionProtection=false") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-password-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-password-modified.asciidoc new file mode 100644 index 0000000000..45b179ee1b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-password-modified.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-password-modified]] +=== AWS RDS DB Instance or Cluster Password Modified + +Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS RDS DB Instance or Cluster Password Modified* + + +This rule identifies when an RDS DB instance or cluster password is modified. While changing the master password is a legitimate means to regain access in the case of a lost password, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment. + + +*Possible Investigation Steps* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the masterUserPassword parameter was changed. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance. +- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances. + +*False Positive Analysis* + + +- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation* + + +- **Immediate Review and Reversal**: If the change was unauthorized, update the instance password. If the master user password was managed with AWS Secrets Manager, determine whether the `manageMasterUserPassword` attribute was changed to false and revert if necessary. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege. +- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. + + +*Additional Information:* + + +For further guidance on managing DB instances and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security: +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html[AWS RDS ModifyDBInstance] +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html[Amazon RDS and Secrets Manager] + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.action in ("ModifyDBInstance", "ModifyDBCluster") + and event.outcome == "success" + and stringContains(aws.cloudtrail.request_parameters, "masterUserPassword=*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Credentials +** ID: T1098.001 +** Reference URL: https://attack.mitre.org/techniques/T1098/001/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-restored.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-restored.asciidoc new file mode 100644 index 0000000000..76f5b3a508 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-instance-restored.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-13-12-aws-rds-db-instance-restored]] +=== AWS RDS DB Instance Restored + +An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html +* https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Use Case: Asset Visibility +* Tactic: Defense Evasion + +*Version*: 207 + +*Rule authors*: + +* Austin Songer +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3") + and event.outcome == "success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Cloud Compute Infrastructure +** ID: T1578 +** Reference URL: https://attack.mitre.org/techniques/T1578/ +* Sub-technique: +** Name: Create Cloud Instance +** ID: T1578.002 +** Reference URL: https://attack.mitre.org/techniques/T1578/002/ +* Sub-technique: +** Name: Revert Cloud Instance +** ID: T1578.004 +** Reference URL: https://attack.mitre.org/techniques/T1578/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-snapshot-shared-with-another-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-snapshot-shared-with-another-account.asciidoc new file mode 100644 index 0000000000..9333590c41 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-db-snapshot-shared-with-another-account.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-13-12-aws-rds-db-snapshot-shared-with-another-account]] +=== AWS RDS DB Snapshot Shared with Another Account + +Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS RDS DB Snapshot Shared with Another Account* + + +This rule identifies when an RDS DB snapshot is shared with another AWS account. While sharing DB snapshots is a common practice, adversaries may exploit this feature to exfiltrate data by sharing snapshots with external accounts under their control. + + +*Possible Investigation Steps* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Sharing Event**: Identify the DB snapshot involved and review the event details. Look for `ModifyDBSnapshotAttribute` or `ModifyDBClusterSnapshotAttribute` actions where the snapshot attributes were changed to include additional user accounts. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the DB Snapshot Identifier and account ID with which the snapshot was shared. +- **Verify the Shared Snapshot**: Check the DB snapshot that was shared and its contents to determine the sensitivity of the data stored within it. +- **Validate External Account**: Examine the AWS account to which the snapshot was shared. Determine whether this account is known and previously authorized to access such resources. +- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots. + + +*False Positive Analysis* + + +- **Legitimate Backup Actions**: Confirm if the Db snapshot sharing aligns with scheduled backups or legitimate automation tasks. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation* + + +- **Immediate Review and Reversal**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege. +- **Policy Update**: Review and possibly update your organization’s policies on DB snapshot sharing to tighten control and prevent unauthorized access. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. + + +*Additional Information:* + + +For further guidance on managing DB backups and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.BackupRestore.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB snapshot security: +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html[AWS RDS DB Snapshot Sharing] +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html[AWS RDS ModifyDBSnapshotAttribute] +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot[AWS RDS Snapshot Dump] + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.outcome == "success" + and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute") + and stringContains(aws.cloudtrail.request_parameters, "attributeName=restore") + and stringContains(aws.cloudtrail.request_parameters, "valuesToAdd=[*]") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-snapshot-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-snapshot-deleted.asciidoc new file mode 100644 index 0000000000..b8a2b070f8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-rds-snapshot-deleted.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-13-12-aws-rds-snapshot-deleted]] +=== AWS RDS Snapshot Deleted + +Identifies the deletion of an AWS RDS DB snapshot. Snapshots contain a full backup of an entire DB instance. Unauthorized deletion of snapshots can make it impossible to recover critical or sensitive data. This rule detects deleted snapshots and instances modified so that backupRetentionPeriod is set to 0 which disables automated backups and is functionally similar to deleting the system snapshot. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteSnapshot.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSnapshot.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Use Case: Asset Visibility +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.outcome == "success" + and ( + event.action in ("DeleteDBSnapshot", "DeleteDBClusterSnapshot") or + (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "backupRetentionPeriod=0")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-s3-object-encryption-using-external-kms-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-s3-object-encryption-using-external-kms-key.asciidoc new file mode 100644 index 0000000000..d65fe3634f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-aws-s3-object-encryption-using-external-kms-key.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-13-12-aws-s3-object-encryption-using-external-kms-key]] +=== AWS S3 Object Encryption Using External KMS Key + +Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/ +* https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/ +* https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/ +* https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS S3 +* Data Source: AWS KMS +* Use Case: Threat Detection +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating AWS S3 Object Encryption Using External KMS Key* + + +This rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data. +This rule uses https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule[ES|QL] to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption. + + +*Possible Investigation Steps:* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId. +- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. +- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions. +- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets. + + +*False Positive Analysis:* + + +- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems. +- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation:* + + +- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions. +- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware. +- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege. +- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. + + +*Additional Information:* + + +For further guidance on managing S3 bucket security and protecting against ransomware, refer to the https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html[AWS S3 documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection: +- https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf[ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild] +- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/[S3 Ransomware Part 1: Attack Vector] + + +==== Setup + + +AWS S3 data event types need to be enabled in the CloudTrail trail configuration. + +==== Rule query + + +[source, js] +---------------------------------- +from logs-aws.cloudtrail-* + +// any successful copy event +| where event.dataset == "aws.cloudtrail" + and event.provider == "s3.amazonaws.com" + and event.action == "CopyObject" + and event.outcome == "success" + +// abstract key account id, key id, encrypted object bucket name and object name +| dissect aws.cloudtrail.request_parameters "{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}" + +// filter for s3 objects whose account id is different from the encryption key's account id +// add exceptions based on key.account.id or keyId for known external accounts or encryption keys +| where cloud.account.id != key.account.id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-entra-id-device-code-auth-with-broker-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-entra-id-device-code-auth-with-broker-client.asciidoc new file mode 100644 index 0000000000..655b7f006a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-entra-id-device-code-auth-with-broker-client.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-13-12-entra-id-device-code-auth-with-broker-client]] +=== Entra ID Device Code Auth with Broker Client + +Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure.signinlogs-* +* logs-azure.activitylogs-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf +* https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in +* https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs + +*Tags*: + +* Domain: Cloud +* Data Source: Azure +* Data Source: Microsoft Entra ID +* Use Case: Identity and Access Audit +* Tactic: Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + +This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected. + + +==== Rule query + + +[source, js] +---------------------------------- + event.dataset:(azure.activitylogs or azure.signinlogs) + and azure.signinlogs.properties.authentication_protocol:deviceCode + and azure.signinlogs.properties.conditional_access_audiences.application_id:29d9ed98-a469-4536-ade2-f981bc1d605e + and event.outcome:success or ( + azure.activitylogs.properties.appId:29d9ed98-a469-4536-ade2-f981bc1d605e + and azure.activitylogs.properties.authentication_protocol:deviceCode) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-api-access-granted-via-domain-wide-delegation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-api-access-granted-via-domain-wide-delegation.asciidoc new file mode 100644 index 0000000000..a770889c9c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-api-access-granted-via-domain-wide-delegation.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-13-12-google-workspace-api-access-granted-via-domain-wide-delegation]] +=== Google Workspace API Access Granted via Domain-Wide Delegation + +Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developers.google.com/admin-sdk/directory/v1/guides/delegation + +*Tags*: + +* Domain: Cloud +* Data Source: Google Workspace +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Persistence + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Google Workspace API Access Granted via Domain-Wide Delegation* + + +Domain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace. + +Applications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold. + +This rule identifies when an application is authorized API client access. + + +*Possible investigation steps* + + +- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. + - Only users with super admin privileges can authorize API client access. +- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert. + - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID. + - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field. + - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS. +- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings. + + +*False positive analysis* + + +- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected. +- Review scheduled maintenance notes related to expected API access changes. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Review the scope of the authorized API client access in Google Workspace. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://support.google.com/a/answer/7587183[outlined] by Google. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + + +*Important Information Regarding Google Workspace Event Lag Times* + +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html + +==== Setup + + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:google_workspace.admin + and event.provider:admin + and event.category:iam + and event.action:AUTHORIZE_API_CLIENT_ACCESS + and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-object-copied-to-external-drive-with-app-consent.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-object-copied-to-external-drive-with-app-consent.asciidoc new file mode 100644 index 0000000000..2d000871dc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-object-copied-to-external-drive-with-app-consent.asciidoc @@ -0,0 +1,153 @@ +[[prebuilt-rule-8-13-12-google-workspace-object-copied-to-external-drive-with-app-consent]] +=== Google Workspace Object Copied to External Drive with App Consent + +Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one +* https://developers.google.com/apps-script/guides/bound +* https://support.google.com/a/users/answer/13004165#share_make_a_copy_links + +*Tags*: + +* Domain: Cloud +* Data Source: Google Workspace +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Google Workspace Object Copied to External Drive with App Consent* + + +Google Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive. + +This rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt. + + +*Possible investigation steps* + +- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert. +- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging. +- Identify the file type by reviewing `google_workspace.drive.file.type`. +- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread. +- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`. + - Review the application ID as well from `google_workspace.token.client.id`. + - This metadata can be used to report the malicious application to Google for permanent blacklisting. +- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`. + - This information will help pivot and triage into what services may have been affected. +- If a container-bound script was attached to the copied object, it will also exist in the user's drive. + - This object should be removed from all users affected and investigated for a better understanding of the malicious code. + + +*False positive analysis* + +- Communicate with the affected user to identify if these actions were intentional +- If a container-bound script exists, review code to identify if it is benign or malicious + + +*Response and remediation* + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. + - Resetting passwords will revoke OAuth tokens which could have been stolen. +- Reactivate multi-factor authentication for the user. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security defaults https://cloud.google.com/security-command-center/docs/how-to-investigate-threats[provided by Google]. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +*Setup* + + + +*Important Information Regarding Google Workspace Event Lag Times* + +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html + +==== Setup + + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +sequence by source.user.email with maxspan=3m +[file where event.dataset == "google_workspace.drive" and event.action == "copy" and + + /* Should only match if the object lives in a Drive that is external to the user's GWS organization */ + google_workspace.drive.owner_is_team_drive == "false" and google_workspace.drive.copy_type == "external" and + + /* Google Script, Forms, Sheets and Document can have container-bound scripts */ + google_workspace.drive.file.type: ("script", "form", "spreadsheet", "document")] + +[any where event.dataset == "google_workspace.token" and event.action == "authorize" and + + /* Ensures application ID references custom app in Google Workspace and not GCP */ + google_workspace.token.client.id : "*apps.googleusercontent.com"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-restrictions-for-marketplace-modified-to-allow-any-app.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-restrictions-for-marketplace-modified-to-allow-any-app.asciidoc new file mode 100644 index 0000000000..3318f3095a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-google-workspace-restrictions-for-marketplace-modified-to-allow-any-app.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-8-13-12-google-workspace-restrictions-for-marketplace-modified-to-allow-any-app]] +=== Google Workspace Restrictions for Marketplace Modified to Allow Any App + +Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/6089179?hl=en + +*Tags*: + +* Domain: Cloud +* Data Source: Google Workspace +* Use Case: Configuration Audit +* Tactic: Defense Evasion +* Resources: Investigation Guide + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App* + + +Google Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers. + +Marketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent. + +Google clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google. + +This rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications. + + +*Possible investigation steps* + + +- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. +- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace. +- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made. + - The `google_workspace.admin.application.name` field will help identify what applications were added. +- With the user account, review other potentially related events within the last 48 hours. +- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks. +- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`. + + +*False positive analysis* + + +- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace. +- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs. + - Follow up with the user who added the application to ensure this was intended. +- Verify the application identified has been assessed thoroughly by an administrator. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://support.google.com/a/answer/7587183[outlined] by Google. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + + +*Important Information Regarding Google Workspace Event Lag Times* + +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html + +==== Setup + + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) + and google_workspace.event.type:"APPLICATION_SETTINGS" and google_workspace.admin.application.name:"Google Workspace Marketplace" + and google_workspace.admin.setting.name:"Apps Access Setting Allowlist access" and google_workspace.admin.new_value:"ALLOW_ALL" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-lsass-process-access-via-windows-api.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-lsass-process-access-via-windows-api.asciidoc new file mode 100644 index 0000000000..5203bf5dcf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-lsass-process-access-via-windows-api.asciidoc @@ -0,0 +1,207 @@ +[[prebuilt-rule-8-13-12-lsass-process-access-via-windows-api]] +=== LSASS Process Access via Windows API + +Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.api-* +* logs-m365_defender.event-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Execution +* Data Source: Elastic Defend +* Data Source: Microsoft Defender for Endpoint + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating LSASS Process Access via Windows API* + + +The Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation. + +This rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the "lsass.exe" process. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle. + - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Determine the first time the process executable was seen in the environment and if this behavior happened in the past. + - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. + - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes. +- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights[Microsoft documentation] may be useful to help the interpretation. +- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the executables of the processes using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + + +*False positive analysis* + + +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions. + + +*Related Rules* + + +- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609 +- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48 +- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de + + +*Response and Remediation* + + +- Initiate the incident response process based on the outcome of the triage. + - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Reimage the host operating system or restore the compromised files to clean versions. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +api where host.os.type == "windows" and + process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and + not + ( + process.executable : ( + "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe", + "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe", + "?:\\Program Files (x86)\\eScan\\reload.exe", + "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", + "?:\\Program Files (x86)\\Kaspersky Lab\\*\\avp.exe", + "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe", + "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe", + "?:\\Program Files (x86)\\Trend Micro\\*\\CCSF\\TmCCSF.exe", + "?:\\Program Files*\\Windows Defender\\MsMpEng.exe", + "?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", + "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe", + "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe", + "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe", + "?:\\Program Files\\Huntress\\HuntressAgent.exe", + "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe", + "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe", + "?:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe", + "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe", + "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe", + "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "?:\\Windows\\AdminArsenal\\PDQDeployRunner\\*\\exec\\Sysmon64.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\System32\\csrss.exe", + "?:\\Windows\\System32\\MRT.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\taskhostw.exe", + "?:\\Windows\\System32\\RtkAudUService64.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe", + "?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*\\pmfexe.exe", + "?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe", + "?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe", + "?:\\Program Files (x86)\\CyberCNSAgent\\osqueryi.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TMASutility.exe", + "?:\\Program Files (x86)\\Kaspersky Lab\\KES*\\avp.exe", + "?:\\Program Files\\Wise\\Wise Memory Optimizer\\WiseMemoryOptimzer.exe", + "?:\\Windows\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe" + ) and not ?process.code_signature.trusted == false + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-multiple-device-token-hashes-for-single-okta-session.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-multiple-device-token-hashes-for-single-okta-session.asciidoc new file mode 100644 index 0000000000..cc0531e018 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-multiple-device-token-hashes-for-single-okta-session.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-8-13-12-multiple-device-token-hashes-for-single-okta-session]] +=== Multiple Device Token Hashes for Single Okta Session + +This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US + +*Tags*: + +* Use Case: Identity and Access Audit +* Data Source: Okta +* Tactic: Credential Access +* Domain: SaaS + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Multiple Device Token Hashes for Single Okta Session* + + +This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources. + + +*Possible investigation steps:* + +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - Authentication events have been filtered out to focus on Okta activity via established sessions. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. +- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action. + - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily. + + +*False positive analysis:* + +- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established. + + +*Response and remediation:* + +- Consider stopping all sessions for the user(s) involved in this action. +- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. + + +==== Setup + + + +*Setup* + + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + // ignore authentication events where session and device token hash change often + AND NOT event.action IN ( + "policy.evaluate_sign_on", + "user.session.start", + "user.authentication.sso" + ) + // ignore Okta system events and only allow registered users + AND ( + okta.actor.alternate_id != "system@okta.com" + AND okta.actor.alternate_id RLIKE "[^@\\s]+\\@[^@\\s]+" + ) + AND okta.authentication_context.external_session_id != "unknown" +| STATS + dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY + okta.actor.alternate_id, + okta.authentication_context.external_session_id +| WHERE + dt_hash_counts >= 2 +| SORT + dt_hash_counts DESC + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-aws-s3-bucket-ransomware-note-uploaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-aws-s3-bucket-ransomware-note-uploaded.asciidoc new file mode 100644 index 0000000000..1b79210cc2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-aws-s3-bucket-ransomware-note-uploaded.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-13-12-potential-aws-s3-bucket-ransomware-note-uploaded]] +=== Potential AWS S3 Bucket Ransomware Note Uploaded + +Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf +* https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/ +* https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS S3 +* Use Case: Threat Detection +* Tactic: Impact + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating Potential AWS S3 Bucket Ransomware Note Uploaded* + + +This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims. + + +*Possible Investigation Steps:* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications. +- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. +- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny. +- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note. + + +*False Positive Analysis:* + + +- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems. +- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. +- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy. + + +*Response and Remediation:* + + +- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions. +- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware. +- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege. +- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. + + +*Additional Information:* + + +For further guidance on managing S3 bucket security and protecting against ransomware, refer to the https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html[AWS S3 documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection: +- https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf[ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild] +- https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/[AWS S3 Ransomware Batch Deletion] +- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/[S3 Ransomware Part 1: Attack Vector] + + +==== Setup + + +AWS S3 data types need to be enabled in the CloudTrail trail configuration. + +==== Rule query + + +[source, js] +---------------------------------- +from logs-aws.cloudtrail-* + +// any successful uploads via S3 API requests +| where event.dataset == "aws.cloudtrail" + and event.provider == "s3.amazonaws.com" + and event.action == "PutObject" + and event.outcome == "success" + +// abstract object name from API request parameters +| dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{object_name}}" + +// regex on common ransomware note extensions +| where object_name rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)" + and not object_name rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)" + +// aggregate by S3 bucket, resource and object name +| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name + +// filter for single occurrence to eliminate common upload operations +| where note_upload_count == 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-powershell-obfuscated-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-powershell-obfuscated-script.asciidoc new file mode 100644 index 0000000000..e2566087ce --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-powershell-obfuscated-script.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-13-12-potential-powershell-obfuscated-script]] +=== Potential PowerShell Obfuscated Script + +Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI). + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.powershell* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/danielbohannon/Invoke-Obfuscation + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: PowerShell Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "[string]::join" or + "-Join" or + "[convert]::toint16" or + "[char][int]$_" or + ("ConvertTo-SecureString" and "PtrToStringAuto") or + ".GetNetworkCredential().password" or + "-BXor" or + ("replace" and "char") or + "[array]::reverse" + ) and + powershell.file.script_block_text : ( + ("$pSHoMe[" and "+$pSHoMe[") or + ("$ShellId[" and "+$ShellId[") or + ("$env:ComSpec[4" and "25]-Join") or + (("Set-Variable" or "SV" or "Set-Item") and "OFS") or + ("*MDR*" and "Name[3,11,2]") or + ("$VerbosePreference" and "[1,3]+'X'-Join''") or + ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-ransomware-note-file-dropped-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-ransomware-note-file-dropped-via-smb.asciidoc new file mode 100644 index 0000000000..3ad5e41ece --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-potential-ransomware-note-file-dropped-via-smb.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-13-12-potential-ransomware-note-file-dropped-via-smb]] +=== Potential Ransomware Note File Dropped via SMB + +Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events. + + +*Possible investigation steps* + + +- Investigate the source.ip address connecting to port 445 on this host. +- Identify the user account that performed the file creation via SMB. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Remote file creation with similar file naming convention via SMB. + + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "windows" and + event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and + source.ip != "127.0.0.1" and source.ip != "::1" and + network.type == "ipv4" and not endswith(source.address, destination.address)] + [file where host.os.type == "windows" and event.action == "creation" and + process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and file.extension : ("hta", "txt", "readme", "htm*") and + file.path : "C:\\Users\\*" and + /* ransom file name keywords */ + file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-sensitive-registry-hive-access-via-regback.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-sensitive-registry-hive-access-via-regback.asciidoc new file mode 100644 index 0000000000..b059257c0f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-sensitive-registry-hive-access-via-regback.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-8-13-12-sensitive-registry-hive-access-via-regback]] +=== Sensitive Registry Hive Access via RegBack + +Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Sensitive Registry Hive Access via RegBack* + + +Collecting registry hives is a common way to access credential information as some hives store credential material. + +For example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets). + +Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. + + +*Possible investigation steps* + + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate if the credential material was exfiltrated or processed locally by other tools. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host. + + +*False positive analysis* + + +- Administrators can export registry hives for backup purposes. Check whether the user is legitamitely performing this kind of activity. + + +*Related rules* + + +- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and + event.action == "open" and event.outcome == "success" and process.executable != null and + file.path : + ("?:\\Windows\\System32\\config\\RegBack\\SAM", + "?:\\Windows\\System32\\config\\RegBack\\SECURITY", + "?:\\Windows\\System32\\config\\RegBack\\SYSTEM") and + not (user.id == "S-1-5-18" and process.executable : "?:\\Windows\\system32\\taskhostw.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: LSA Secrets +** ID: T1003.004 +** Reference URL: https://attack.mitre.org/techniques/T1003/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-shadow-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-shadow-file-modification.asciidoc new file mode 100644 index 0000000000..a171a871bd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-shadow-file-modification.asciidoc @@ -0,0 +1,107 @@ +[[prebuilt-rule-8-13-12-shadow-file-modification]] +=== Shadow File Modification + +This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click Add integrations. +- In the query bar, search for Elastic Defend and select the integration to see more details about it. +- Click Add Elastic Defend. +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click Save and Continue. +- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and +file.path == "/etc/shadow" and file.Ext.original.path != null + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-ssh-key-generated-via-ssh-keygen.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-ssh-key-generated-via-ssh-keygen.asciidoc new file mode 100644 index 0000000000..568f6f9090 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-ssh-key-generated-via-ssh-keygen.asciidoc @@ -0,0 +1,88 @@ +[[prebuilt-rule-8-13-12-ssh-key-generated-via-ssh-keygen]] +=== SSH Key Generated via ssh-keygen + +This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("creation", "file_create_event") and +process.executable == "/usr/bin/ssh-keygen" and file.path : ("/home/*/.ssh/*", "/root/.ssh/*", "/etc/ssh/*") and +not file.name : "known_hosts.*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: SSH Authorized Keys +** ID: T1098.004 +** Reference URL: https://attack.mitre.org/techniques/T1098/004/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-file-renamed-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-file-renamed-via-smb.asciidoc new file mode 100644 index 0000000000..8d3af6e1b5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-file-renamed-via-smb.asciidoc @@ -0,0 +1,139 @@ +[[prebuilt-rule-8-13-12-suspicious-file-renamed-via-smb]] +=== Suspicious File Renamed via SMB + +Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events. + + +*Possible investigation steps* + + +- Investigate the source.ip address connecting to port 445 on this host. +- Identify the user account that performed the file creation via SMB. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Remote file rename over SMB. + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "windows" and + event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and + source.ip != "127.0.0.1" and source.ip != "::1" and + network.type == "ipv4" and not endswith(source.address, destination.address)] + [file where host.os.type == "windows" and + event.action == "rename" and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and + file.extension != null and file.Ext.entropy >= 6 and file.path : "C:\\Users\\*" and + file.Ext.original.name : ("*.jpg", "*.bmp", "*.png", "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.lnk") and + not file.extension : ("jpg", "bmp", "png", "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "*.lnk")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-inter-process-communication-via-outlook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-inter-process-communication-via-outlook.asciidoc new file mode 100644 index 0000000000..bac5688aa6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-inter-process-communication-via-outlook.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-13-12-suspicious-inter-process-communication-via-outlook]] +=== Suspicious Inter-Process Communication via Outlook + +Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.process* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m +[process where host.os.type == "windows" and event.action == "start" and + ( + process.name : ( + "rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", + "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe" + ) or + ( + (process.code_signature.trusted == false or process.code_signature.exists == false) and + (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) + ) + ) +] by process.entity_id +[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and + process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Local Email Collection +** ID: T1114.001 +** Reference URL: https://attack.mitre.org/techniques/T1114/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc new file mode 100644 index 0000000000..51831beda1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-13-12-suspicious-microsoft-365-mail-access-by-clientappid]] +=== Suspicious Microsoft 365 Mail Access by ClientAppId + +Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-o365* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a + +*Tags*: + +* Domain: Cloud +* Data Source: Microsoft 365 +* Use Case: Configuration Audit +* Tactic: Initial Access + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Microsoft 365 Mail Access by ClientAppId* + + +- Verify the ClientAppId, source.ip and geolocation associated with Mail Access. +- Verify the total number of used ClientAppId by that specific user.id. +- Verify if the mailbox owner was on leave and just resumed working or not. +- Verify if there are other alerts associated with the same user.id. +- Verify the total number of connections from that ClientAppId, if it's accessing other mailboxes and with a high frequency there is a high chance it's a false positive. + + +*False positive analysis* + + +- Legit Microsoft or third party ClientAppId. +- User changing of ClientAppId or new connection post an extended period of leave. +- If the total number of accessed Mailboxes by ClientAppId is too high there is a high chance it's a false positive. + + +==== Setup + + + +*Setup* + + +The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success and +not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e366-9d6d-4c70-b22a-34c7ea72d73d" or + "a3883eba-fbe9-48bd-9ed3-dca3e0e84250" or "d3590ed6-52b3-4102-aeff-aad2292ab01c" or "27922004-5251-4030-b22d-91ecd9a37ea4" or + "1fec8e78-bce4-4aaf-ab1b-5451cc387264" or "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or "00000002-0000-0000-c000-000000000000" or + "00000002-0000-0ff1-ce00-000000000000" or "ffcb16e8-f789-467c-8ce9-f826a080d987" or "00000003-0000-0ff1-ce00-000000000000" or + "00000004-0000-0ff1-ce00-000000000000" or "00000005-0000-0ff1-ce00-000000000000" or "00000006-0000-0ff1-ce00-000000000000" or + "00000007-0000-0000-c000-000000000000" or "00000007-0000-0ff1-ce00-000000000000" or + "00000009-0000-0000-c000-000000000000" or "0000000c-0000-0000-c000-000000000000" or "00000015-0000-0000-c000-000000000000" or + "0000001a-0000-0000-c000-000000000000" or "00b41c95-dab0-4487-9791-b9d2c32c80f2" or "022907d3-0f1b-48f7-badc-1ba6abab6d66" or + "04b07795-8ddb-461a-bbee-02f9e1bf7b46" or "08e18876-6177-487e-b8b5-cf950c1e598c" or "0cb7b9ec-5336-483b-bc31-b15b5788de71" or + "0cd196ee-71bf-4fd6-a57c-b491ffd4fb1e" or "0f698dd4-f011-4d23-a33e-b36416dcb1e6" or "13937bba-652e-4c46-b222-3003f4d1ff97" or + "14d82eec-204b-4c2f-b7e8-296a70dab67e" or "16aeb910-ce68-41d1-9ac3-9e1673ac9575" or "1786c5ed-9644-47b2-8aa0-7201292175b6" or + "17d5e35f-655b-4fb0-8ae6-86356e9a49f5" or "18fbca16-2224-45f6-85b0-f7bf2b39b3f3" or "1950a258-227b-4e31-a9cf-717495945fc2" or + "1b3c667f-cde3-4090-b60b-3d2abd0117f0" or "1fec8e78-bce4-4aaf-ab1b-5451cc387264" or "20a11fe0-faa8-4df5-baf2-f965f8f9972e" or + "23523755-3a2b-41ca-9315-f81f3f566a95" or "243c63a3-247d-41c5-9d83-7788c43f1c43" or "268761a2-03f3-40df-8a8b-c3db24145b6b" or + "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or "26abc9a8-24f0-4b11-8234-e86ede698878" or "27922004-5251-4030-b22d-91ecd9a37ea4" or + "28b567f6-162c-4f54-99a0-6887f387bbcc" or "29d9ed98-a469-4536-ade2-f981bc1d605e" or "2abdc806-e091-4495-9b10-b04d93c3f040" or + "2d4d3d8e-2be3-4bef-9f87-7875a61c29de" or "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8" or "3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7" or + "35d54a08-36c9-4847-9018-93934c62740c" or "37182072-3c9c-4f6a-a4b3-b3f91cacffce" or "38049638-cc2c-4cde-abe4-4479d721ed44" or + "3c896ded-22c5-450f-91f6-3d1ef0848f6e" or "4345a7b9-9a63-4910-a426-35363201d503" or "45a330b1-b1ec-4cc1-9161-9f03992aa49f" or + "4765445b-32c6-49b0-83e6-1d93765276ca" or "497effe9-df71-4043-a8bb-14cf78c4b63b" or "4b233688-031c-404b-9a80-a4f3f2351f90" or + "4d5c2d63-cf83-4365-853c-925fd1a64357" or "51be292c-a17e-4f17-9a7e-4b661fb16dd2" or + "5572c4c0-d078-44ce-b81c-6cbf8d3ed39e" or "5e3ce6c0-2b1f-4285-8d4b-75ee78787346" or "60c8bde5-3167-4f92-8fdb-059f6176dc0f" or + "61109738-7d2b-4a0b-9fe3-660b1ff83505" or "62256cef-54c0-4cb4-bcac-4c67989bdc40" or "6253bca8-faf2-4587-8f2f-b056d80998a7" or + "65d91a3d-ab74-42e6-8a2f-0add61688c74" or "66a88757-258c-4c72-893c-3e8bed4d6899" or "67e3df25-268a-4324-a550-0de1c7f97287" or + "69893ee3-dd10-4b1c-832d-4870354be3d8" or "74658136-14ec-4630-ad9b-26e160ff0fc6" or "74bcdadc-2fdc-4bb3-8459-76d06952a0e9" or + "797f4846-ba00-4fd7-ba43-dac1f8f63013" or "7ab7862c-4c57-491e-8a45-d52a7e023983" or "7ae974c5-1af7-4923-af3a-fb1fd14dcb7e" or + "7b7531ad-5926-4f2d-8a1d-38495ad33e17" or "80ccca67-54bd-44ab-8625-4b79c4dc7775" or "835b2a73-6e10-4aa5-a979-21dfda45231c" or + "871c010f-5e61-4fb1-83ac-98610a7e9110" or "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7" or "8edd93e1-2103-40b4-bd70-6e34e586362d" or + "905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba" or "91ca2ca5-3b3e-41dd-ab65-809fa3dffffa" or "93625bc8-bfe2-437a-97e0-3d0060024faa" or + "93d53678-613d-4013-afc1-62e9e444a0a5" or "944f0bd1-117b-4b1c-af26-804ed95e767e" or "94c63fef-13a3-47bc-8074-75af8c65887a" or + "95de633a-083e-42f5-b444-a4295d8e9314" or "97cb1f73-50df-47d1-8fb0-0271f2728514" or "98db8bd6-0cc0-4e67-9de5-f187f1cd1b41" or + "99b904fd-a1fe-455c-b86c-2f9fb1da7687" or "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7" or "a3475900-ccec-4a69-98f5-a65cd5dc5306" or + "a3b79187-70b2-4139-83f9-6016c58cd27b" or "a57aca87-cbc0-4f3c-8b9e-dc095fdc8978" or "a970bac6-63fe-4ec5-8884-8536862c42d4" or + "a9b49b65-0a12-430b-9540-c80b3332c127" or "ab9b8c07-8f02-4f72-87fa-80105867a763" or "ae8e128e-080f-4086-b0e3-4c19301ada69" or + "b23dd4db-9142-4734-867f-3577f640ad0c" or "b4bddae8-ab25-483e-8670-df09b9f1d0ea" or "b669c6ea-1adf-453f-b8bc-6d526592b419" or + "b6e69c34-5f1f-4c34-8cdf-7fea120b8670" or "bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4" or "bdd48c81-3a58-4ea9-849c-ebea7f6b6360" or + "c1c74fed-04c9-4704-80dc-9f79a2e515cb" or "c35cb2ba-f88b-4d15-aa9d-37bd443522e1" or "c44b4083-3bb0-49c1-b47d-974e53cbdf3c" or + "c9a559d2-7aab-4f13-a6ed-e7e9c52aec87" or "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" or "cf36b471-5b44-428c-9ce7-313bf84528de" or + "cf53fce8-def6-4aeb-8d30-b158e7b1cf83" or "d176f6e7-38e5-40c9-8a78-3998aab820e7" or "d3590ed6-52b3-4102-aeff-aad2292ab01c" or + "d73f4b35-55c9-48c7-8b10-651f6f2acb2e" or "d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0" or "de8bc8b5-d9f9-48b1-a8ad-b748da725064" or + "dfe74da8-9279-44ec-8fb2-2aed9e1c73d0" or "e1ef36fd-b883-4dbf-97f0-9ece4b576fc6" or "e64aa8bc-8eb4-40e2-898b-cf261a25954f" or + "e9f49c6b-5ce5-44c8-925d-015017e9f7ad" or "ee272b19-4411-433f-8f28-5c13cb6fd407" or "f5eaa862-7f08-448c-9c4e-f4047d4d4521" or + "fb78d390-0c51-40cd-8e17-fdbfab77341b" or "fc0f3af4-6835-4174-b806-f7db311fd2f3" or "fdf9885b-dd37-42bf-82e5-c3129ef5a302" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-tampering-of-shell-command-line-history.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-tampering-of-shell-command-line-history.asciidoc new file mode 100644 index 0000000000..86679575af --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-tampering-of-shell-command-line-history.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-13-12-tampering-of-shell-command-line-history]] +=== Tampering of Shell Command-Line History + +Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Auditd Manager + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and + ( + ((process.args : ("rm", "echo") or + (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or + (process.args : "truncate" and process.args : "-s0")) + and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history", + ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or + (process.args : "history" and process.args : "-c") or + (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or + (process.args : "unset" and process.args : "HISTFILE") or + (process.args : "set" and process.args : "history" and process.args : "+o") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Command History +** ID: T1070.003 +** Reference URL: https://attack.mitre.org/techniques/T1070/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-unusual-file-creation-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-unusual-file-creation-alternate-data-stream.asciidoc new file mode 100644 index 0000000000..4a7b62eb83 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rule-8-13-12-unusual-file-creation-alternate-data-stream.asciidoc @@ -0,0 +1,217 @@ +[[prebuilt-rule-8-13-12-unusual-file-creation-alternate-data-stream]] +=== Unusual File Creation - Alternate Data Stream + +Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 115 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Unusual File Creation - Alternate Data Stream* + + +Alternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute. + +The regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream. + +Attackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this: + - `Get-Content C:\Path\To\file.exe -stream SampleAlternateDataStreamName` +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + + +*False positive analysis* + + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + + file.path : "C:\\*:*" and + not file.path : + ("C:\\*:zone.identifier*", + "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA", + "C:\\Windows\\CSC\\*:CscBitmapStream") and + + not process.executable : ( + "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe", + "?:\\Windows\\explorer.exe", + "?:\\Windows\\System32\\DataExchangeHost.exe", + "?:\\Windows\\System32\\drivers\\Intel\\ICPS\\IntelConnectivityNetworkService.exe", + "?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\KillerNetworkService.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\System32\\PickerHost.exe", + "?:\\Windows\\System32\\RuntimeBroker.exe", + "?:\\Windows\\System32\\SearchProtocolHost.exe", + "?:\\Windows\\System32\\sihost.exe", + "?:\\windows\\System32\\svchost.exe" + ) and + + file.extension : + ( + "pdf", + "dll", + "exe", + "dat", + "com", + "bat", + "cmd", + "sys", + "vbs", + "ps1", + "hta", + "txt", + "vbe", + "js", + "wsh", + "docx", + "doc", + "xlsx", + "xls", + "pptx", + "ppt", + "rtf", + "gif", + "jpg", + "png", + "bmp", + "img", + "iso" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rules-8-13-12-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rules-8-13-12-appendix.asciidoc new file mode 100644 index 0000000000..6cc42719f8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rules-8-13-12-appendix.asciidoc @@ -0,0 +1,31 @@ +["appendix",role="exclude",id="prebuilt-rule-8-13-12-prebuilt-rules-8-13-12-appendix"] += Downloadable rule update v8.13.12 + +This section lists all updates associated with version 8.13.12 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-13-12-aws-rds-db-snapshot-shared-with-another-account.asciidoc[] +include::prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-deletion-protection-disabled.asciidoc[] +include::prebuilt-rule-8-13-12-aws-rds-snapshot-deleted.asciidoc[] +include::prebuilt-rule-8-13-12-aws-s3-object-encryption-using-external-kms-key.asciidoc[] +include::prebuilt-rule-8-13-12-aws-rds-db-instance-or-cluster-password-modified.asciidoc[] +include::prebuilt-rule-8-13-12-aws-rds-db-instance-made-public.asciidoc[] +include::prebuilt-rule-8-13-12-entra-id-device-code-auth-with-broker-client.asciidoc[] +include::prebuilt-rule-8-13-12-shadow-file-modification.asciidoc[] +include::prebuilt-rule-8-13-12-sensitive-registry-hive-access-via-regback.asciidoc[] +include::prebuilt-rule-8-13-12-potential-powershell-obfuscated-script.asciidoc[] +include::prebuilt-rule-8-13-12-tampering-of-shell-command-line-history.asciidoc[] +include::prebuilt-rule-8-13-12-aws-rds-db-instance-restored.asciidoc[] +include::prebuilt-rule-8-13-12-potential-aws-s3-bucket-ransomware-note-uploaded.asciidoc[] +include::prebuilt-rule-8-13-12-google-workspace-restrictions-for-marketplace-modified-to-allow-any-app.asciidoc[] +include::prebuilt-rule-8-13-12-google-workspace-object-copied-to-external-drive-with-app-consent.asciidoc[] +include::prebuilt-rule-8-13-12-google-workspace-api-access-granted-via-domain-wide-delegation.asciidoc[] +include::prebuilt-rule-8-13-12-attempts-to-brute-force-a-microsoft-365-user-account.asciidoc[] +include::prebuilt-rule-8-13-12-suspicious-microsoft-365-mail-access-by-clientappid.asciidoc[] +include::prebuilt-rule-8-13-12-multiple-device-token-hashes-for-single-okta-session.asciidoc[] +include::prebuilt-rule-8-13-12-ssh-key-generated-via-ssh-keygen.asciidoc[] +include::prebuilt-rule-8-13-12-suspicious-inter-process-communication-via-outlook.asciidoc[] +include::prebuilt-rule-8-13-12-lsass-process-access-via-windows-api.asciidoc[] +include::prebuilt-rule-8-13-12-unusual-file-creation-alternate-data-stream.asciidoc[] +include::prebuilt-rule-8-13-12-suspicious-file-renamed-via-smb.asciidoc[] +include::prebuilt-rule-8-13-12-potential-ransomware-note-file-dropped-via-smb.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rules-8-13-12-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rules-8-13-12-summary.asciidoc new file mode 100644 index 0000000000..06632970fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rules-8-13-12-summary.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-13-12-prebuilt-rules-8-13-12-summary]] +[role="xpack"] +== Update v8.13.12 + +This section lists all updates associated with version 8.13.12 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration. | new | 1 + +|<> | Identifies the modification of an AWS RDS DB instance or cluster to remove the deletionProtection feature. Deletion protection is enabled automatically for instances set up through the console and can be used to protect them from unintentional deletion activity. If disabled an instance or cluster can be deleted, destroying sensitive or critical information. Adversaries with the proper permissions can take advantage of this to set up future deletion events against a compromised environment. | new | 1 + +|<> | Identifies the deletion of an AWS RDS DB snapshot. Snapshots contain a full backup of an entire DB instance. Unauthorized deletion of snapshots can make it impossible to recover critical or sensitive data. This rule detects deleted snapshots and instances modified so that backupRetentionPeriod is set to 0 which disables automated backups and is functionally similar to deleting the system snapshot. | new | 1 + +|<> | Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data. | new | 1 + +|<> | Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation. | new | 1 + +|<> | Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls. | new | 1 + +|<> | Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). | new | 1 + +|<> | This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system. | new | 1 + +|<> | Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder. | new | 1 + +|<> | Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI). | new | 1 + +|<> | Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. | update | 106 + +|<> | An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations. | update | 207 + +|<> | Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims. | update | 2 + +|<> | Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user. | update | 107 + +|<> | Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept. | update | 5 + +|<> | Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. | update | 206 + +|<> | Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. | update | 209 + +|<> | Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. | update | 107 + +|<> | This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources. | update | 102 + +|<> | This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems. | update | 2 + +|<> | Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API. | update | 7 + +|<> | Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. | update | 9 + +|<> | Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. | update | 115 + +|<> | Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. | update | 3 + +|<> | Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. | update | 3 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 5c8b6c803d..bdcd613888 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -13,6 +13,10 @@ For previous rule updates, please navigate to the https://www.elastic.co/guide/e |Update version |Date | New rules | Updated rules | Notes +|<> | 09 Jul 2024 | 10 | 15 | +This release includes new rules for Windows, Linux , AWS and Azure integration. New rules for Windows include detection for credential access and defense evasion. New rules for Linux include detection for persistence. New rules for AWS include detection for exfiltration, persistence and impact. New rules for Azure include detection for credential access. Additionally, significant rule tuning for Windows, Linux, AWS, Google Workplace and Microsoft 365 integration rules has been added for better rule efficacy and performance. + + |<> | 28 Jun 2024 | 12 | 28 | This release includes new rules and tuned for Windows, Linux and AWS integration. New rules for Windows include detection for persistence and execution. New rules for Linux include detection for persistence and privilege escalation. New rules for AWS include detection for defense evasion. Additionally, significant rule tuning for Windows, Linux and AWS rules has been added for better rule efficacy and performance. @@ -84,3 +88,4 @@ include::downloadable-packages/8-13-8/prebuilt-rules-8-13-8-summary.asciidoc[lev include::downloadable-packages/8-13-9/prebuilt-rules-8-13-9-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-13-10/prebuilt-rules-8-13-10-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-13-11/prebuilt-rules-8-13-11-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-13-12/prebuilt-rules-8-13-12-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index c9f9f0b82b..ac72a215a6 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -120,8 +120,18 @@ and their rule type is `machine_learning`. |<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Persistence] |None |206 +|<> |Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Resources: Investigation Guide], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion] |None |1 + +|<> |An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |None |207 + +|<> |Identifies the modification of an AWS RDS DB instance or cluster to remove the deletionProtection feature. Deletion protection is enabled automatically for instances set up through the console and can be used to protect them from unintentional deletion activity. If disabled an instance or cluster can be deleted, destroying sensitive or critical information. Adversaries with the proper permissions can take advantage of this to set up future deletion events against a compromised environment. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Resources: Investigation Guide], [Use Case: Threat Detection], [Tactic: Impact] |None |1 + +|<> |Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Resources: Investigation Guide], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Tactic: Defense Evasion] |None |1 + |<> |Identifies when an AWS RDS DB Snapshot is created. This can be used to evade defenses by allowing an attacker to bypass access controls or cover their tracks by reverting an instance to a previous state. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. To generate alerts, create a rule that uses this signal as a building block. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Defense Evasion], [Rule Type: BBR] |None |1 +|<> |Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Resources: Investigation Guide], [Use Case: Threat Detection], [Tactic: Exfiltration] |None |1 + |<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Persistence] |None |206 |<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Impact] |None |206 @@ -130,9 +140,9 @@ and their rule type is `machine_learning`. |<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Tactic: Impact] |None |206 -|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration] |None |206 +|<> |Identifies the deletion of an AWS RDS DB snapshot. Snapshots contain a full backup of an entire DB instance. Unauthorized deletion of snapshots can make it impossible to recover critical or sensitive data. This rule detects deleted snapshots and instances modified so that backupRetentionPeriod is set to 0 which disables automated backups and is functionally similar to deleting the system snapshot. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Impact] |None |1 -|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |None |206 +|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration] |None |206 |<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Redshift], [Use Case: Asset Visibility], [Tactic: Persistence] |None |206 @@ -156,6 +166,8 @@ and their rule type is `machine_learning`. |<> |Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS S3], [Use Case: Threat Detection], [Tactic: Exfiltration] |8.9.0 |1 +|<> |Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS S3], [Data Source: AWS KMS], [Use Case: Threat Detection], [Tactic: Impact] |8.13.0 |1 + |<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Defense Evasion] |None |206 |<> |An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS STS], [Use Case: Identity and Access Audit], [Tactic: Discovery], [Resources: Investigation Guide] |None |1 @@ -184,7 +196,7 @@ and their rule type is `machine_learning`. |<> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |None |10 -|<> |Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |None |2 +|<> |Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame] |None |3 |<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |None |108 @@ -292,9 +304,9 @@ and their rule type is `machine_learning`. |<> |Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application. |[Data Source: Okta], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.10.0 |207 -|<> |Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR] |None |3 +|<> |Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame] |None |4 -|<> |Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |None |208 +|<> |Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. |[Domain: Cloud], [Domain: SaaS], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |None |209 |<> |Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts. |[Use Case: Identity and Access Audit], [Tactic: Credential Access], [Data Source: Okta] |8.10.0 |208 @@ -374,11 +386,11 @@ and their rule type is `machine_learning`. |<> |Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell. |[Domain: Endpoint], [OS: macOS], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |None |104 -|<> |Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR] |None |3 +|<> |Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame] |None |4 |<> |Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |110 -|<> |Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Rule Type: BBR] |None |2 +|<> |Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame] |None |3 |<> |Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |None |2 @@ -434,7 +446,7 @@ and their rule type is `machine_learning`. |<> |Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |3 -|<> |Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR] |None |3 +|<> |Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame] |None |4 |<> |Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Active Directory], [Use Case: Active Directory Monitoring] |None |1 @@ -528,6 +540,8 @@ and their rule type is `machine_learning`. |<> |Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. |[Data Source: Elastic Defend] |None |103 +|<> |Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |None |1 + |<> |Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |8 |<> |Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |111 @@ -610,7 +624,7 @@ and their rule type is `machine_learning`. |<> |Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |210 -|<> |Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |None |3 +|<> |Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Elastic Endgame], [Data Source: Sysmon] |None |4 |<> |This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Privilege Escalation] |8.10.0 |1 @@ -734,7 +748,7 @@ and their rule type is `machine_learning`. |<> |Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Configuration Audit], [Tactic: Persistence], [Resources: Investigation Guide] |None |106 -|<> |Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Persistence] |None |205 +|<> |Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Persistence] |None |206 |<> |Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Identity and Access Audit], [Tactic: Persistence], [Resources: Investigation Guide] |None |206 @@ -750,11 +764,11 @@ and their rule type is `machine_learning`. |<> |Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Configuration Audit], [Tactic: Impact], [Resources: Investigation Guide] |None |207 -|<> |Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept. |[Domain: Cloud], [Data Source: Google Workspace], [Tactic: Initial Access], [Resources: Investigation Guide] |None |4 +|<> |Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept. |[Domain: Cloud], [Data Source: Google Workspace], [Tactic: Initial Access], [Resources: Investigation Guide] |None |5 |<> |Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Identity and Access Audit], [Tactic: Persistence], [Resources: Investigation Guide] |None |205 -|<> |Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Configuration Audit], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |106 +|<> |Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Configuration Audit], [Tactic: Defense Evasion], [Resources: Investigation Guide] |None |107 |<> |Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment. |[Domain: Cloud], [Data Source: Google Workspace], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Persistence] |None |205 @@ -886,7 +900,7 @@ and their rule type is `machine_learning`. |<> |Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |None |110 -|<> |Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Execution], [Data Source: Elastic Defend], [Data Source: Microsoft Defender for Endpoint] |None |8 +|<> |Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Execution], [Data Source: Elastic Defend], [Data Source: Microsoft Defender for Endpoint] |None |9 |<> |Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |108 @@ -1006,7 +1020,7 @@ and their rule type is `machine_learning`. |<> |Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |110 -|<> |Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint] |8.3.0 |2 +|<> |Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: SentinelOne], [Data Source: Microsoft Defender for Endpoint] |8.12.0 |103 |<> |Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |112 @@ -1050,12 +1064,12 @@ and their rule type is `machine_learning`. |<> |This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised. |[Use Case: Threat Detection], [Rule Type: Higher-Order Rule] |None |4 +|<> |This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Credential Access], [Domain: SaaS] |8.13.0 |102 + |<> |Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |None |10 |<> |Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide] |None |9 -|<> |Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Initial Access] |8.10.0 |2 - |<> |Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Lateral Movement] |8.10.0 |1 |<> |Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Credential Access] |8.10.0 |2 @@ -1088,7 +1102,7 @@ and their rule type is `machine_learning`. |<> |Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Data Source: Auditd Manager] |None |1 -|<> |Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |111 +|<> |Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Command and Control], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon], [Data Source: Elastic Endgame] |None |112 |<> |Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |108 @@ -1204,7 +1218,7 @@ and their rule type is `machine_learning`. |<> |Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Active Directory], [Use Case: Active Directory Monitoring] |None |1 -|<> |Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS S3], [Use Case: Threat Detection], [Tactic: Impact] |8.13.0 |1 +|<> |Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS S3], [Use Case: Threat Detection], [Tactic: Impact] |8.13.0 |2 |<> |Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions. |[Domain: LLM], [Data Source: AWS Bedrock], [Data Source: Amazon Web Services], [Data Source: AWS S3], [Use Case: Potential Overload], [Use Case: Resource Exhaustion], [Mitre Atlas: LLM04] |8.13.0 |1 @@ -1260,7 +1274,7 @@ and their rule type is `machine_learning`. |<> |A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels. |[Use Case: Data Exfiltration Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Exfiltration] |None |4 -|<> |The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |None |2 +|<> |The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame] |None |3 |<> |Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |7 @@ -1382,6 +1396,8 @@ and their rule type is `machine_learning`. |<> |Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: PowerShell Logs] |8.12.0 |111 +|<> |Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI). |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: PowerShell Logs] |None |1 + |<> |Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: PowerShell Logs] |None |1 |<> |Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |107 @@ -1430,7 +1446,7 @@ and their rule type is `machine_learning`. |<> |This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |2 -|<> |Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |2 +|<> |Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |3 |<> |Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Initial Access], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |7 @@ -1706,7 +1722,7 @@ and their rule type is `machine_learning`. |<> |This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it to gain initial access or establish persistence within a compromised environment. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Initial Access], [Tactic: Lateral Movement] |None |2 -|<> |This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |1 +|<> |This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |2 |<> |This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Tactic: Persistence] |None |2 @@ -1746,6 +1762,8 @@ and their rule type is `machine_learning`. |<> |Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Persistence], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |None |110 +|<> |Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |1 + |<> |Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |107 |<> |Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Tactic: Defense Evasion], [Tactic: Execution], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |109 @@ -1754,12 +1772,14 @@ and their rule type is `machine_learning`. |<> |Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |None |3 -|<> |Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |None |2 +|<> |Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon] |None |3 -|<> |Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR] |None |3 +|<> |Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon] |None |4 |<> |This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |5 +|<> |This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |None |1 + |<> |Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment. |[Domain: Cloud], [Data Source: Microsoft 365], [Tactic: Lateral Movement] |None |206 |<> |This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |8 @@ -1890,7 +1910,7 @@ and their rule type is `machine_learning`. |<> |Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice. |[Domain: Endpoint], [OS: Linux], [OS: Windows], [OS: macOS], [Use Case: Threat Detection], [Tactic: Command and Control] |None |3 -|<> |Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |2 +|<> |Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Impact], [Resources: Investigation Guide], [Data Source: Elastic Defend] |None |3 |<> |Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Initial Access], [Data Source: Elastic Defend] |None |107 @@ -1900,7 +1920,7 @@ and their rule type is `machine_learning`. |<> |Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |107 -|<> |Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend] |None |6 +|<> |Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend] |None |7 |<> |This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution] |None |2 @@ -1922,7 +1942,7 @@ and their rule type is `machine_learning`. |<> |Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |2 -|<> |Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |None |106 +|<> |Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |None |107 |<> |Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |109 @@ -2028,7 +2048,7 @@ and their rule type is `machine_learning`. |<> |Identifies the use of built-in tools to read the contents of \etc\hosts on a local machine. Attackers may use this data to discover remote machines in an environment that may be used for Lateral Movement from the current system. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Auditd Manager] |None |3 -|<> |Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Rule Type: BBR] |None |10 +|<> |Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Execution], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Elastic Endgame] |None |11 |<> |Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |110 @@ -2062,7 +2082,7 @@ and their rule type is `machine_learning`. |<> |This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion] |None |2 -|<> |Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Auditd Manager] |None |105 +|<> |Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Data Source: Elastic Endgame], [Data Source: Auditd Manager] |None |106 |<> |Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution] |None |7 @@ -2142,7 +2162,7 @@ and their rule type is `machine_learning`. |<> |Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Initial Access], [Resources: Investigation Guide], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |1 -|<> |Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |114 +|<> |Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |115 |<> |Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Endgame], [Use Case: Vulnerability], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |110 @@ -2280,7 +2300,7 @@ and their rule type is `machine_learning`. |<> |Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Elastic Endgame] |None |2 -|<> |Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Rule Type: BBR] |None |4 +|<> |Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame] |None |5 |<> |Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |None |1 @@ -2330,7 +2350,7 @@ and their rule type is `machine_learning`. |<> |Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Endgame], [Data Source: Elastic Defend] |None |7 -|<> |Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |4 +|<> |Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |None |5 |<> |This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |None |4 diff --git a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc index 7ef3f9b706..4b0daf55cf 100644 --- a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc +++ b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc @@ -51,13 +51,18 @@ include::rule-details/aws-lambda-layer-added-to-existing-function.asciidoc[] include::rule-details/aws-management-console-brute-force-of-root-user-identity.asciidoc[] include::rule-details/aws-management-console-root-login.asciidoc[] include::rule-details/aws-rds-cluster-creation.asciidoc[] +include::rule-details/aws-rds-db-instance-made-public.asciidoc[] +include::rule-details/aws-rds-db-instance-restored.asciidoc[] +include::rule-details/aws-rds-db-instance-or-cluster-deletion-protection-disabled.asciidoc[] +include::rule-details/aws-rds-db-instance-or-cluster-password-modified.asciidoc[] include::rule-details/aws-rds-db-snapshot-created.asciidoc[] +include::rule-details/aws-rds-db-snapshot-shared-with-another-account.asciidoc[] include::rule-details/aws-rds-instance-creation.asciidoc[] include::rule-details/aws-rds-instance-cluster-stoppage.asciidoc[] include::rule-details/aws-rds-security-group-creation.asciidoc[] include::rule-details/aws-rds-security-group-deletion.asciidoc[] +include::rule-details/aws-rds-snapshot-deleted.asciidoc[] include::rule-details/aws-rds-snapshot-export.asciidoc[] -include::rule-details/aws-rds-snapshot-restored.asciidoc[] include::rule-details/aws-redshift-cluster-creation.asciidoc[] include::rule-details/aws-root-login-without-mfa.asciidoc[] include::rule-details/aws-route-53-domain-transfer-lock-disabled.asciidoc[] @@ -69,6 +74,7 @@ include::rule-details/aws-s3-bucket-configuration-deletion.asciidoc[] include::rule-details/aws-s3-bucket-enumeration-or-brute-force.asciidoc[] include::rule-details/aws-s3-bucket-expiration-lifecycle-configuration-added.asciidoc[] include::rule-details/aws-s3-bucket-policy-added-to-share-with-external-account.asciidoc[] +include::rule-details/aws-s3-object-encryption-using-external-kms-key.asciidoc[] include::rule-details/aws-saml-activity.asciidoc[] include::rule-details/aws-sts-getcalleridentity-api-called-for-the-first-time.asciidoc[] include::rule-details/aws-sts-getsessiontoken-abuse.asciidoc[] @@ -255,6 +261,7 @@ include::rule-details/enable-host-network-discovery-via-netsh.asciidoc[] include::rule-details/encoded-executable-stored-in-the-registry.asciidoc[] include::rule-details/encrypting-files-with-winrar-or-7z.asciidoc[] include::rule-details/endpoint-security.asciidoc[] +include::rule-details/entra-id-device-code-auth-with-broker-client.asciidoc[] include::rule-details/enumerating-domain-trusts-via-dsquery-exe.asciidoc[] include::rule-details/enumerating-domain-trusts-via-nltest-exe.asciidoc[] include::rule-details/enumeration-command-spawned-via-wmiprvse.asciidoc[] @@ -358,7 +365,7 @@ include::rule-details/github-ueba-multiple-alerts-from-a-github-account.asciidoc include::rule-details/github-user-blocked-from-organization.asciidoc[] include::rule-details/google-drive-ownership-transferred-via-google-workspace.asciidoc[] include::rule-details/google-workspace-2sv-policy-disabled.asciidoc[] -include::rule-details/google-workspace-api-access-granted-via-domain-wide-delegation-of-authority.asciidoc[] +include::rule-details/google-workspace-api-access-granted-via-domain-wide-delegation.asciidoc[] include::rule-details/google-workspace-admin-role-assigned-to-a-user.asciidoc[] include::rule-details/google-workspace-admin-role-deletion.asciidoc[] include::rule-details/google-workspace-bitlocker-setting-disabled.asciidoc[] @@ -366,9 +373,9 @@ include::rule-details/google-workspace-custom-admin-role-created.asciidoc[] include::rule-details/google-workspace-custom-gmail-route-created-or-modified.asciidoc[] include::rule-details/google-workspace-drive-encryption-key-s-accessed-from-anonymous-user.asciidoc[] include::rule-details/google-workspace-mfa-enforcement-disabled.asciidoc[] -include::rule-details/google-workspace-object-copied-from-external-drive-and-access-granted-to-custom-application.asciidoc[] +include::rule-details/google-workspace-object-copied-to-external-drive-with-app-consent.asciidoc[] include::rule-details/google-workspace-password-policy-modified.asciidoc[] -include::rule-details/google-workspace-restrictions-for-google-marketplace-modified-to-allow-any-app.asciidoc[] +include::rule-details/google-workspace-restrictions-for-marketplace-modified-to-allow-any-app.asciidoc[] include::rule-details/google-workspace-role-modified.asciidoc[] include::rule-details/google-workspace-suspended-user-account-renewed.asciidoc[] include::rule-details/google-workspace-user-organizational-unit-changed.asciidoc[] @@ -516,9 +523,9 @@ include::rule-details/mshta-making-network-connections.asciidoc[] include::rule-details/multi-factor-authentication-disabled-for-an-azure-user.asciidoc[] include::rule-details/multiple-alerts-involving-a-user.asciidoc[] include::rule-details/multiple-alerts-in-different-att-ck-tactics-on-a-single-host.asciidoc[] +include::rule-details/multiple-device-token-hashes-for-single-okta-session.asciidoc[] include::rule-details/multiple-logon-failure-followed-by-logon-success.asciidoc[] include::rule-details/multiple-logon-failure-from-the-same-source-address.asciidoc[] -include::rule-details/multiple-okta-client-addresses-for-a-single-user-session.asciidoc[] include::rule-details/multiple-okta-sessions-detected-for-a-single-user.asciidoc[] include::rule-details/multiple-okta-user-auth-events-with-same-device-token-hash-behind-a-proxy.asciidoc[] include::rule-details/multiple-okta-user-authentication-events-with-client-address.asciidoc[] @@ -682,6 +689,7 @@ include::rule-details/potential-persistence-via-time-provider-modification.ascii include::rule-details/potential-port-monitor-or-print-processor-registration-abuse.asciidoc[] include::rule-details/potential-powershell-hacktool-script-by-author.asciidoc[] include::rule-details/potential-powershell-hacktool-script-by-function-names.asciidoc[] +include::rule-details/potential-powershell-obfuscated-script.asciidoc[] include::rule-details/potential-powershell-pass-the-hash-relay-script.asciidoc[] include::rule-details/potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc[] include::rule-details/potential-privacy-control-bypass-via-tccdb-modification.asciidoc[] @@ -864,6 +872,7 @@ include::rule-details/sensitive-files-compression.asciidoc[] include::rule-details/sensitive-files-compression-inside-a-container.asciidoc[] include::rule-details/sensitive-keys-or-passwords-searched-for-inside-a-container.asciidoc[] include::rule-details/sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc[] +include::rule-details/sensitive-registry-hive-access-via-regback.asciidoc[] include::rule-details/service-command-lateral-movement.asciidoc[] include::rule-details/service-control-spawned-via-script-interpreter.asciidoc[] include::rule-details/service-creation-via-local-kerberos-authentication.asciidoc[] @@ -871,6 +880,7 @@ include::rule-details/service-disabled-via-registry-modification.asciidoc[] include::rule-details/service-path-modification.asciidoc[] include::rule-details/service-path-modification-via-sc-exe.asciidoc[] include::rule-details/setcap-setuid-setgid-capability-set.asciidoc[] +include::rule-details/shadow-file-modification.asciidoc[] include::rule-details/sharepoint-malware-file-upload.asciidoc[] include::rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc[] include::rule-details/shell-configuration-creation-or-modification.asciidoc[] diff --git a/docs/detections/prebuilt-rules/rule-details/accessing-outlook-data-files.asciidoc b/docs/detections/prebuilt-rules/rule-details/accessing-outlook-data-files.asciidoc index 5c79c58212..4c7221b698 100644 --- a/docs/detections/prebuilt-rules/rule-details/accessing-outlook-data-files.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/accessing-outlook-data-files.asciidoc @@ -8,6 +8,9 @@ Identifies commands containing references to Outlook data files extensions, whic *Rule indices*: * logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-system.security* *Severity*: low @@ -29,8 +32,10 @@ Identifies commands containing references to Outlook data files extensions, whic * Tactic: Collection * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon +* Data Source: Elastic Endgame -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempted-private-key-access.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempted-private-key-access.asciidoc index 23d6d1e7d7..54cac87a18 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempted-private-key-access.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempted-private-key-access.asciidoc @@ -8,6 +8,9 @@ Attackers may try to access private keys, e.g. ssh, in order to gain further aut *Rule indices*: * logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-system.security* *Severity*: low @@ -29,8 +32,10 @@ Attackers may try to access private keys, e.g. ssh, in order to gain further aut * Tactic: Credential Access * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon +* Data Source: Elastic Endgame -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-a-microsoft-365-user-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-a-microsoft-365-user-account.asciidoc index daccc93d60..14fdb4cda8 100644 --- a/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-a-microsoft-365-user-account.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/attempts-to-brute-force-a-microsoft-365-user-account.asciidoc @@ -3,35 +3,34 @@ Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. -*Rule type*: threshold +*Rule type*: esql -*Rule indices*: +*Rule indices*: None -* filebeat-* -* logs-o365* +*Severity*: medium -*Severity*: high - -*Risk score*: 73 +*Risk score*: 47 *Runs every*: 5m -*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) *Maximum alerts per execution*: 100 *References*: * https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem +* https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties *Tags*: * Domain: Cloud +* Domain: SaaS * Data Source: Microsoft 365 * Use Case: Identity and Access Audit * Tactic: Credential Access -*Version*: 208 +*Version*: 209 *Rule authors*: @@ -57,12 +56,40 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured [source, js] ---------------------------------- -event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and - event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and - not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or - UserStrongAuthClientAuthNRequired or InvalidReplyTo or SsoArtifactExpiredDueToConditionalAccess or - PasswordResetRegistrationRequiredInterrupt or SsoUserAccountNotFoundInResourceTenant or - UserStrongAuthExpired) +from logs-o365.audit-* +| MV_EXPAND event.category +| WHERE event.dataset == "o365.audit" + AND event.category == "authentication" + + // filter only on Entra ID or Exchange audit logs in O365 integration + AND event.provider in ("AzureActiveDirectory", "Exchange") + + // filter only for UserLoginFailed or partial failures + AND event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword") + + // ignore specific logon errors + AND not o365.audit.LogonError in ( + "EntitlementGrantsNotFound", + "UserStrongAuthEnrollmentRequired", + "UserStrongAuthClientAuthNRequired", + "InvalidReplyTo", + "SsoArtifactExpiredDueToConditionalAccess", + "PasswordResetRegistrationRequiredInterrupt", + "SsoUserAccountNotFoundInResourceTenant", + "UserStrongAuthExpired", + "CmsiInterrupt" +) + // filters out non user or application logins based on target + AND o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10") + + // filters only for logins from user or application, ignoring oauth:token + AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike "(.*)login(.*)" + +| STATS + // count the number of failed login attempts target per user + login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError + +| WHERE login_attempt_counts > 10 ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-made-public.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-made-public.asciidoc new file mode 100644 index 0000000000..1d541cf2c5 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-made-public.asciidoc @@ -0,0 +1,132 @@ +[[aws-rds-db-instance-made-public]] +=== AWS RDS DB Instance Made Public + +Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence#make-instance-publicly-accessible-rds-modifydbinstance +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-createdbinstance + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS RDS DB Instance Made Public* + + +This rule identifies when an RDS DB instance is created or modified to enable public access. While publicly accessible DB instances are a common practice, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment. + + +*Possible Investigation Steps* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Creation/Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance`, `CreateDBInstance` or `CreateDBCluster` actions where the publiclyAccessible parameter was set to true. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance. +- **Verify the Created/Modified Instance**: Check the DB instance that was created or modified and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this event to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances. + +*False Positive Analysis* + + +- **Legitimate Instance Configuration**: Confirm if the DB instance creation or modification aligns with legitimate tasks. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation* + + +- **Immediate Review and Reversal**: If the change was unauthorized, update the instance attributes to remove public access and restore it to its previous state. Determine whether attached security groups have been modified to allow additional access and revert any unauthorized changes. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege. +- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. + + +*Additional Information:* + + +For further guidance on managing DB instances and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security: +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html[AWS RDS ModifyDBInstance] + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.outcome == "success" + and ( + (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true")) + or + (event.action in ("CreateDBInstance", "CreateDBCluster") and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Sub-technique: +** Name: Conditional Access Policies +** ID: T1556.009 +** Reference URL: https://attack.mitre.org/techniques/T1556/009/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-or-cluster-deletion-protection-disabled.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-or-cluster-deletion-protection-disabled.asciidoc new file mode 100644 index 0000000000..279f485b20 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-or-cluster-deletion-protection-disabled.asciidoc @@ -0,0 +1,119 @@ +[[aws-rds-db-instance-or-cluster-deletion-protection-disabled]] +=== AWS RDS DB Instance or Cluster Deletion Protection Disabled + +Identifies the modification of an AWS RDS DB instance or cluster to remove the deletionProtection feature. Deletion protection is enabled automatically for instances set up through the console and can be used to protect them from unintentional deletion activity. If disabled an instance or cluster can be deleted, destroying sensitive or critical information. Adversaries with the proper permissions can take advantage of this to set up future deletion events against a compromised environment. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled* + + +This rule identifies when the deletion protection feature is removed from an RDS DB instance or cluster. Removing deletion protection is a prerequisite for deleting a DB instance. Adversaries may exploit this feature to permanently delete data in a compromised environment. + + +*Possible Investigation Steps* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the deletionProtection parameter was changed. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB instance or cluster identifier and any other modifications made to the instance. +- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB instance or cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances. + +*False Positive Analysis* + + +- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation* + + +- **Immediate Review and Reversal**: If the change was unauthorized, reset deletionProtection to true. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege. +- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. + + +*Additional Information:* + + +For further guidance on managing DB instances and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security: +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html[AWS RDS ModifyDBInstance] +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html[Deleting AWS RDS DB Instance] + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.action in ("ModifyDBInstance", "ModifyDBCluster") + and event.outcome == "success" + and stringContains(aws.cloudtrail.request_parameters, "deletionProtection=false") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-or-cluster-password-modified.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-or-cluster-password-modified.asciidoc new file mode 100644 index 0000000000..b8cda33a86 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-or-cluster-password-modified.asciidoc @@ -0,0 +1,134 @@ +[[aws-rds-db-instance-or-cluster-password-modified]] +=== AWS RDS DB Instance or Cluster Password Modified + +Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS RDS DB Instance or Cluster Password Modified* + + +This rule identifies when an RDS DB instance or cluster password is modified. While changing the master password is a legitimate means to regain access in the case of a lost password, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment. + + +*Possible Investigation Steps* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the masterUserPassword parameter was changed. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance. +- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances. + +*False Positive Analysis* + + +- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation* + + +- **Immediate Review and Reversal**: If the change was unauthorized, update the instance password. If the master user password was managed with AWS Secrets Manager, determine whether the `manageMasterUserPassword` attribute was changed to false and revert if necessary. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege. +- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. + + +*Additional Information:* + + +For further guidance on managing DB instances and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security: +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html[AWS RDS ModifyDBInstance] +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html[Amazon RDS and Secrets Manager] + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.action in ("ModifyDBInstance", "ModifyDBCluster") + and event.outcome == "success" + and stringContains(aws.cloudtrail.request_parameters, "masterUserPassword=*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Credentials +** ID: T1098.001 +** Reference URL: https://attack.mitre.org/techniques/T1098/001/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-restored.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-restored.asciidoc new file mode 100644 index 0000000000..709ff79e98 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-instance-restored.asciidoc @@ -0,0 +1,78 @@ +[[aws-rds-db-instance-restored]] +=== AWS RDS DB Instance Restored + +An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html +* https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Use Case: Asset Visibility +* Tactic: Defense Evasion + +*Version*: 207 + +*Rule authors*: + +* Austin Songer +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3") + and event.outcome == "success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Cloud Compute Infrastructure +** ID: T1578 +** Reference URL: https://attack.mitre.org/techniques/T1578/ +* Sub-technique: +** Name: Create Cloud Instance +** ID: T1578.002 +** Reference URL: https://attack.mitre.org/techniques/T1578/002/ +* Sub-technique: +** Name: Revert Cloud Instance +** ID: T1578.004 +** Reference URL: https://attack.mitre.org/techniques/T1578/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-db-snapshot-shared-with-another-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-snapshot-shared-with-another-account.asciidoc new file mode 100644 index 0000000000..d1be4a2b25 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-db-snapshot-shared-with-another-account.asciidoc @@ -0,0 +1,124 @@ +[[aws-rds-db-snapshot-shared-with-another-account]] +=== AWS RDS DB Snapshot Shared with Another Account + +Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Resources: Investigation Guide +* Use Case: Threat Detection +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS RDS DB Snapshot Shared with Another Account* + + +This rule identifies when an RDS DB snapshot is shared with another AWS account. While sharing DB snapshots is a common practice, adversaries may exploit this feature to exfiltrate data by sharing snapshots with external accounts under their control. + + +*Possible Investigation Steps* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Sharing Event**: Identify the DB snapshot involved and review the event details. Look for `ModifyDBSnapshotAttribute` or `ModifyDBClusterSnapshotAttribute` actions where the snapshot attributes were changed to include additional user accounts. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the DB Snapshot Identifier and account ID with which the snapshot was shared. +- **Verify the Shared Snapshot**: Check the DB snapshot that was shared and its contents to determine the sensitivity of the data stored within it. +- **Validate External Account**: Examine the AWS account to which the snapshot was shared. Determine whether this account is known and previously authorized to access such resources. +- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots. + + +*False Positive Analysis* + + +- **Legitimate Backup Actions**: Confirm if the Db snapshot sharing aligns with scheduled backups or legitimate automation tasks. +- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation* + + +- **Immediate Review and Reversal**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions. +- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege. +- **Policy Update**: Review and possibly update your organization’s policies on DB snapshot sharing to tighten control and prevent unauthorized access. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. + + +*Additional Information:* + + +For further guidance on managing DB backups and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.BackupRestore.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB snapshot security: +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html[AWS RDS DB Snapshot Sharing] +- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html[AWS RDS ModifyDBSnapshotAttribute] +- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot[AWS RDS Snapshot Dump] + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.outcome == "success" + and event.action in ("ModifyDBSnapshotAttribute", "ModifyDBClusterSnapshotAttribute") + and stringContains(aws.cloudtrail.request_parameters, "attributeName=restore") + and stringContains(aws.cloudtrail.request_parameters, "valuesToAdd=[*]") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-deleted.asciidoc new file mode 100644 index 0000000000..cf0522d936 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-rds-snapshot-deleted.asciidoc @@ -0,0 +1,70 @@ +[[aws-rds-snapshot-deleted]] +=== AWS RDS Snapshot Deleted + +Identifies the deletion of an AWS RDS DB snapshot. Snapshots contain a full backup of an entire DB instance. Unauthorized deletion of snapshots can make it impossible to recover critical or sensitive data. This rule detects deleted snapshots and instances modified so that backupRetentionPeriod is set to 0 which disables automated backups and is functionally similar to deleting the system snapshot. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteSnapshot.html +* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSnapshot.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS RDS +* Use Case: Asset Visibility +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.outcome == "success" + and ( + event.action in ("DeleteDBSnapshot", "DeleteDBClusterSnapshot") or + (event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "backupRetentionPeriod=0")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/rule-details/aws-s3-object-encryption-using-external-kms-key.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-s3-object-encryption-using-external-kms-key.asciidoc new file mode 100644 index 0000000000..8bb66ba44c --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-s3-object-encryption-using-external-kms-key.asciidoc @@ -0,0 +1,135 @@ +[[aws-s3-object-encryption-using-external-kms-key]] +=== AWS S3 Object Encryption Using External KMS Key + +Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/ +* https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/ +* https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/ +* https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS S3 +* Data Source: AWS KMS +* Use Case: Threat Detection +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating AWS S3 Object Encryption Using External KMS Key* + + +This rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data. +This rule uses https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule[ES|QL] to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption. + + +*Possible Investigation Steps:* + + +- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions. +- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId. +- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access. +- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny. +- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities. +- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions. +- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets. + + +*False Positive Analysis:* + + +- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems. +- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm. + + +*Response and Remediation:* + + +- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity. +- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions. +- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware. +- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege. +- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences. + + +*Additional Information:* + + +For further guidance on managing S3 bucket security and protecting against ransomware, refer to the https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html[AWS S3 documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection: +- https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf[ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild] +- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/[S3 Ransomware Part 1: Attack Vector] + + +==== Setup + + +AWS S3 data event types need to be enabled in the CloudTrail trail configuration. + +==== Rule query + + +[source, js] +---------------------------------- +from logs-aws.cloudtrail-* + +// any successful copy event +| where event.dataset == "aws.cloudtrail" + and event.provider == "s3.amazonaws.com" + and event.action == "CopyObject" + and event.outcome == "success" + +// abstract key account id, key id, encrypted object bucket name and object name +| dissect aws.cloudtrail.request_parameters "{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}" + +// filter for s3 objects whose account id is different from the encryption key's account id +// add exceptions based on key.account.id or keyId for known external accounts or encryption keys +| where cloud.account.id != key.account.id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc index 04d2e60089..853f0f2929 100644 --- a/docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc @@ -8,6 +8,9 @@ Attackers may abuse cmd.exe commands to reassemble binary fragments into a malic *Rule indices*: * logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-system.security* *Severity*: low @@ -30,8 +33,10 @@ Attackers may abuse cmd.exe commands to reassemble binary fragments into a malic * Tactic: Execution * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon +* Data Source: Elastic Endgame -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/bitsadmin-activity.asciidoc b/docs/detections/prebuilt-rules/rule-details/bitsadmin-activity.asciidoc index 4b05a16b75..f7fcd8521f 100644 --- a/docs/detections/prebuilt-rules/rule-details/bitsadmin-activity.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/bitsadmin-activity.asciidoc @@ -8,6 +8,9 @@ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, async *Rule indices*: * logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-system.security* *Severity*: low @@ -29,8 +32,10 @@ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, async * Tactic: Command and Control * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon +* Data Source: Elastic Endgame -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/creation-of-settingcontent-ms-files.asciidoc b/docs/detections/prebuilt-rules/rule-details/creation-of-settingcontent-ms-files.asciidoc index aed6174c3b..9e5b30c0cd 100644 --- a/docs/detections/prebuilt-rules/rule-details/creation-of-settingcontent-ms-files.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/creation-of-settingcontent-ms-files.asciidoc @@ -8,6 +8,8 @@ Identifies the suspicious creation of SettingContents-ms files, which have been *Rule indices*: * logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* *Severity*: low @@ -31,8 +33,10 @@ Identifies the suspicious creation of SettingContents-ms files, which have been * Tactic: Execution * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon +* Data Source: Elastic Endgame -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/entra-id-device-code-auth-with-broker-client.asciidoc b/docs/detections/prebuilt-rules/rule-details/entra-id-device-code-auth-with-broker-client.asciidoc new file mode 100644 index 0000000000..6f78120c92 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/entra-id-device-code-auth-with-broker-client.asciidoc @@ -0,0 +1,76 @@ +[[entra-id-device-code-auth-with-broker-client]] +=== Entra ID Device Code Auth with Broker Client + +Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-azure.signinlogs-* +* logs-azure.activitylogs-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf +* https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in +* https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs + +*Tags*: + +* Domain: Cloud +* Data Source: Azure +* Data Source: Microsoft Entra ID +* Use Case: Identity and Access Audit +* Tactic: Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + +This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected. + + +==== Rule query + + +[source, js] +---------------------------------- + event.dataset:(azure.activitylogs or azure.signinlogs) + and azure.signinlogs.properties.authentication_protocol:deviceCode + and azure.signinlogs.properties.conditional_access_audiences.application_id:29d9ed98-a469-4536-ade2-f981bc1d605e + and event.outcome:success or ( + azure.activitylogs.properties.appId:29d9ed98-a469-4536-ade2-f981bc1d605e + and azure.activitylogs.properties.authentication_protocol:deviceCode) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Application Access Token +** ID: T1528 +** Reference URL: https://attack.mitre.org/techniques/T1528/ diff --git a/docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc b/docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc index 9ae417878a..080aa1f576 100644 --- a/docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc @@ -8,6 +8,8 @@ Identifies files written to the root of the Recycle Bin folder instead of subdir *Rule indices*: * logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* +* endgame-* *Severity*: low @@ -29,8 +31,10 @@ Identifies files written to the root of the Recycle Bin folder instead of subdir * Tactic: Collection * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Elastic Endgame +* Data Source: Sysmon -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation.asciidoc new file mode 100644 index 0000000000..acdf25550f --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-api-access-granted-via-domain-wide-delegation.asciidoc @@ -0,0 +1,138 @@ +[[google-workspace-api-access-granted-via-domain-wide-delegation]] +=== Google Workspace API Access Granted via Domain-Wide Delegation + +Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developers.google.com/admin-sdk/directory/v1/guides/delegation + +*Tags*: + +* Domain: Cloud +* Data Source: Google Workspace +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Persistence + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Google Workspace API Access Granted via Domain-Wide Delegation* + + +Domain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace. + +Applications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold. + +This rule identifies when an application is authorized API client access. + + +*Possible investigation steps* + + +- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. + - Only users with super admin privileges can authorize API client access. +- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert. + - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID. + - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field. + - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS. +- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings. + + +*False positive analysis* + + +- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected. +- Review scheduled maintenance notes related to expected API access changes. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Review the scope of the authorized API client access in Google Workspace. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://support.google.com/a/answer/7587183[outlined] by Google. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + + +*Important Information Regarding Google Workspace Event Lag Times* + +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html + +==== Setup + + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:google_workspace.admin + and event.provider:admin + and event.category:iam + and event.action:AUTHORIZE_API_CLIENT_ACCESS + and event.outcome:success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-object-copied-to-external-drive-with-app-consent.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-object-copied-to-external-drive-with-app-consent.asciidoc new file mode 100644 index 0000000000..fb18fbc882 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-object-copied-to-external-drive-with-app-consent.asciidoc @@ -0,0 +1,153 @@ +[[google-workspace-object-copied-to-external-drive-with-app-consent]] +=== Google Workspace Object Copied to External Drive with App Consent + +Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one +* https://developers.google.com/apps-script/guides/bound +* https://support.google.com/a/users/answer/13004165#share_make_a_copy_links + +*Tags*: + +* Domain: Cloud +* Data Source: Google Workspace +* Tactic: Initial Access +* Resources: Investigation Guide + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Google Workspace Object Copied to External Drive with App Consent* + + +Google Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive. + +This rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt. + + +*Possible investigation steps* + +- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert. +- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging. +- Identify the file type by reviewing `google_workspace.drive.file.type`. +- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread. +- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`. + - Review the application ID as well from `google_workspace.token.client.id`. + - This metadata can be used to report the malicious application to Google for permanent blacklisting. +- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`. + - This information will help pivot and triage into what services may have been affected. +- If a container-bound script was attached to the copied object, it will also exist in the user's drive. + - This object should be removed from all users affected and investigated for a better understanding of the malicious code. + + +*False positive analysis* + +- Communicate with the affected user to identify if these actions were intentional +- If a container-bound script exists, review code to identify if it is benign or malicious + + +*Response and remediation* + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. + - Resetting passwords will revoke OAuth tokens which could have been stolen. +- Reactivate multi-factor authentication for the user. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security defaults https://cloud.google.com/security-command-center/docs/how-to-investigate-threats[provided by Google]. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +*Setup* + + + +*Important Information Regarding Google Workspace Event Lag Times* + +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html + +==== Setup + + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +sequence by source.user.email with maxspan=3m +[file where event.dataset == "google_workspace.drive" and event.action == "copy" and + + /* Should only match if the object lives in a Drive that is external to the user's GWS organization */ + google_workspace.drive.owner_is_team_drive == "false" and google_workspace.drive.copy_type == "external" and + + /* Google Script, Forms, Sheets and Document can have container-bound scripts */ + google_workspace.drive.file.type: ("script", "form", "spreadsheet", "document")] + +[any where event.dataset == "google_workspace.token" and event.action == "authorize" and + + /* Ensures application ID references custom app in Google Workspace and not GCP */ + google_workspace.token.client.id : "*apps.googleusercontent.com"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/rule-details/google-workspace-restrictions-for-marketplace-modified-to-allow-any-app.asciidoc b/docs/detections/prebuilt-rules/rule-details/google-workspace-restrictions-for-marketplace-modified-to-allow-any-app.asciidoc new file mode 100644 index 0000000000..1e7dd21023 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/google-workspace-restrictions-for-marketplace-modified-to-allow-any-app.asciidoc @@ -0,0 +1,143 @@ +[[google-workspace-restrictions-for-marketplace-modified-to-allow-any-app]] +=== Google Workspace Restrictions for Marketplace Modified to Allow Any App + +Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-google_workspace* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.google.com/a/answer/6089179?hl=en + +*Tags*: + +* Domain: Cloud +* Data Source: Google Workspace +* Use Case: Configuration Audit +* Tactic: Defense Evasion +* Resources: Investigation Guide + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App* + + +Google Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers. + +Marketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent. + +Google clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google. + +This rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications. + + +*Possible investigation steps* + + +- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert. +- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace. +- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made. + - The `google_workspace.admin.application.name` field will help identify what applications were added. +- With the user account, review other potentially related events within the last 48 hours. +- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks. +- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`. + + +*False positive analysis* + + +- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace. +- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs. + - Follow up with the user who added the application to ensure this was intended. +- Verify the application identified has been assessed thoroughly by an administrator. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices https://support.google.com/a/answer/7587183[outlined] by Google. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + + +*Important Information Regarding Google Workspace Event Lag Times* + +- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. +- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. +- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m). +- See the following references for further information: + - https://support.google.com/a/answer/7061566 + - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html + +==== Setup + + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"google_workspace.admin" and event.action:"CHANGE_APPLICATION_SETTING" and event.category:(iam or configuration) + and google_workspace.event.type:"APPLICATION_SETTINGS" and google_workspace.admin.application.name:"Google Workspace Marketplace" + and google_workspace.admin.setting.name:"Apps Access Setting Allowlist access" and google_workspace.admin.new_value:"ALLOW_ALL" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc b/docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc index ce26e7857f..49d231cc0d 100644 --- a/docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc @@ -34,7 +34,7 @@ Identifies access attempts to the LSASS handle, which may indicate an attempt to * Data Source: Elastic Defend * Data Source: Microsoft Defender for Endpoint -*Version*: 8 +*Version*: 9 *Rule authors*: @@ -147,6 +147,7 @@ api where host.os.type == "windows" and "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe", @@ -165,9 +166,18 @@ api where host.os.type == "windows" and "?:\\Windows\\System32\\csrss.exe", "?:\\Windows\\System32\\MRT.exe", "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\taskhostw.exe", "?:\\Windows\\System32\\RtkAudUService64.exe", "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe", + "?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*\\pmfexe.exe", + "?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe", + "?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe", + "?:\\Program Files (x86)\\CyberCNSAgent\\osqueryi.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TMASutility.exe", + "?:\\Program Files (x86)\\Kaspersky Lab\\KES*\\avp.exe", + "?:\\Program Files\\Wise\\Wise Memory Optimizer\\WiseMemoryOptimzer.exe", + "?:\\Windows\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe" ) and not ?process.code_signature.trusted == false ) diff --git a/docs/detections/prebuilt-rules/rule-details/microsoft-management-console-file-from-unusual-path.asciidoc b/docs/detections/prebuilt-rules/rule-details/microsoft-management-console-file-from-unusual-path.asciidoc index 43e8c54e28..d1eb1ae2b0 100644 --- a/docs/detections/prebuilt-rules/rule-details/microsoft-management-console-file-from-unusual-path.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/microsoft-management-console-file-from-unusual-path.asciidoc @@ -40,7 +40,7 @@ Identifies attempts to open a Microsoft Management Console File from untrusted p * Data Source: SentinelOne * Data Source: Microsoft Defender for Endpoint -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/multiple-device-token-hashes-for-single-okta-session.asciidoc b/docs/detections/prebuilt-rules/rule-details/multiple-device-token-hashes-for-single-okta-session.asciidoc new file mode 100644 index 0000000000..6a57e3e624 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/multiple-device-token-hashes-for-single-okta-session.asciidoc @@ -0,0 +1,143 @@ +[[multiple-device-token-hashes-for-single-okta-session]] +=== Multiple Device Token Hashes for Single Okta Session + +This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US + +*Tags*: + +* Use Case: Identity and Access Audit +* Data Source: Okta +* Tactic: Credential Access +* Domain: SaaS + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Multiple Device Token Hashes for Single Okta Session* + + +This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources. + + +*Possible investigation steps:* + +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - Authentication events have been filtered out to focus on Okta activity via established sessions. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. +- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action. + - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily. + + +*False positive analysis:* + +- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established. + + +*Response and remediation:* + +- Consider stopping all sessions for the user(s) involved in this action. +- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. + + +==== Setup + + + +*Setup* + + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +==== Rule query + + +[source, js] +---------------------------------- +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + // ignore authentication events where session and device token hash change often + AND NOT event.action IN ( + "policy.evaluate_sign_on", + "user.session.start", + "user.authentication.sso" + ) + // ignore Okta system events and only allow registered users + AND ( + okta.actor.alternate_id != "system@okta.com" + AND okta.actor.alternate_id RLIKE "[^@\\s]+\\@[^@\\s]+" + ) + AND okta.authentication_context.external_session_id != "unknown" +| STATS + dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY + okta.actor.alternate_id, + okta.authentication_context.external_session_id +| WHERE + dt_hash_counts >= 2 +| SORT + dt_hash_counts DESC + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ diff --git a/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc b/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc index eae02c3386..81437d3945 100644 --- a/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/network-connection-via-certutil.asciidoc @@ -10,6 +10,7 @@ Identifies certutil.exe making a network connection. Adversaries could abuse cer * winlogbeat-* * logs-endpoint.events.network-* * logs-windows.sysmon_operational-* +* endgame-* *Severity*: low @@ -35,8 +36,9 @@ Identifies certutil.exe making a network connection. Adversaries could abuse cer * Resources: Investigation Guide * Data Source: Elastic Defend * Data Source: Sysmon +* Data Source: Elastic Endgame -*Version*: 111 +*Version*: 112 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-aws-s3-bucket-ransomware-note-uploaded.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-aws-s3-bucket-ransomware-note-uploaded.asciidoc index 2ada16c6be..2fce212013 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-aws-s3-bucket-ransomware-note-uploaded.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-aws-s3-bucket-ransomware-note-uploaded.asciidoc @@ -32,7 +32,7 @@ Identifies potential ransomware note being uploaded to an AWS S3 bucket. This ru * Use Case: Threat Detection * Tactic: Impact -*Version*: 1 +*Version*: 2 *Rule authors*: @@ -117,7 +117,8 @@ from logs-aws.cloudtrail-* | dissect aws.cloudtrail.request_parameters "%{?ignore_values}key=%{object_name}}" // regex on common ransomware note extensions -| where object_name rlike "(.*).(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)" +| where object_name rlike "(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)" + and not object_name rlike "(.*)(AWSLogs|CloudTrail|access-logs)(.*)" // aggregate by S3 bucket, resource and object name | stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name diff --git a/docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-cmstp-exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-cmstp-exe.asciidoc index 384df4e64d..0b0b03ba6b 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-cmstp-exe.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-cmstp-exe.asciidoc @@ -8,6 +8,9 @@ The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line *Rule indices*: * logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-system.security* *Severity*: low @@ -31,8 +34,10 @@ The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line * Tactic: Defense Evasion * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon +* Data Source: Elastic Endgame -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscated-script.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscated-script.asciidoc new file mode 100644 index 0000000000..cbd74c44b0 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/potential-powershell-obfuscated-script.asciidoc @@ -0,0 +1,122 @@ +[[potential-powershell-obfuscated-script]] +=== Potential PowerShell Obfuscated Script + +Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI). + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.powershell* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/danielbohannon/Invoke-Obfuscation + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: PowerShell Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "[string]::join" or + "-Join" or + "[convert]::toint16" or + "[char][int]$_" or + ("ConvertTo-SecureString" and "PtrToStringAuto") or + ".GetNetworkCredential().password" or + "-BXor" or + ("replace" and "char") or + "[array]::reverse" + ) and + powershell.file.script_block_text : ( + ("$pSHoMe[" and "+$pSHoMe[") or + ("$ShellId[" and "+$ShellId[") or + ("$env:ComSpec[4" and "25]-Join") or + (("Set-Variable" or "SV" or "Set-Item") and "OFS") or + ("*MDR*" and "Name[3,11,2]") or + ("$VerbosePreference" and "[1,3]+'X'-Join''") or + ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/rule-details/potential-ransomware-note-file-dropped-via-smb.asciidoc b/docs/detections/prebuilt-rules/rule-details/potential-ransomware-note-file-dropped-via-smb.asciidoc index 81407b6198..5e8abdaf66 100644 --- a/docs/detections/prebuilt-rules/rule-details/potential-ransomware-note-file-dropped-via-smb.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/potential-ransomware-note-file-dropped-via-smb.asciidoc @@ -30,7 +30,7 @@ Identifies an incoming SMB connection followed by the creation of a file with a * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -100,9 +100,11 @@ Identifies an incoming SMB connection followed by the creation of a file with a sequence by host.id with maxspan=1s [network where host.os.type == "windows" and event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and - source.ip != "127.0.0.1" and source.ip != "::1"] + source.ip != "127.0.0.1" and source.ip != "::1" and + network.type == "ipv4" and not endswith(source.address, destination.address)] [file where host.os.type == "windows" and event.action == "creation" and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and file.extension : ("hta", "txt", "readme", "htm*") and + file.path : "C:\\Users\\*" and /* ransom file name keywords */ file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3 diff --git a/docs/detections/prebuilt-rules/rule-details/sensitive-registry-hive-access-via-regback.asciidoc b/docs/detections/prebuilt-rules/rule-details/sensitive-registry-hive-access-via-regback.asciidoc new file mode 100644 index 0000000000..94389657a3 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/sensitive-registry-hive-access-via-regback.asciidoc @@ -0,0 +1,127 @@ +[[sensitive-registry-hive-access-via-regback]] +=== Sensitive Registry Hive Access via RegBack + +Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Sensitive Registry Hive Access via RegBack* + + +Collecting registry hives is a common way to access credential information as some hives store credential material. + +For example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets). + +Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. + + +*Possible investigation steps* + + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate if the credential material was exfiltrated or processed locally by other tools. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host. + + +*False positive analysis* + + +- Administrators can export registry hives for backup purposes. Check whether the user is legitamitely performing this kind of activity. + + +*Related rules* + + +- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and + event.action == "open" and event.outcome == "success" and process.executable != null and + file.path : + ("?:\\Windows\\System32\\config\\RegBack\\SAM", + "?:\\Windows\\System32\\config\\RegBack\\SECURITY", + "?:\\Windows\\System32\\config\\RegBack\\SYSTEM") and + not (user.id == "S-1-5-18" and process.executable : "?:\\Windows\\system32\\taskhostw.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: LSA Secrets +** ID: T1003.004 +** Reference URL: https://attack.mitre.org/techniques/T1003/004/ diff --git a/docs/detections/prebuilt-rules/rule-details/service-path-modification-via-sc-exe.asciidoc b/docs/detections/prebuilt-rules/rule-details/service-path-modification-via-sc-exe.asciidoc index 87945fd1fc..5d165f2a6c 100644 --- a/docs/detections/prebuilt-rules/rule-details/service-path-modification-via-sc-exe.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/service-path-modification-via-sc-exe.asciidoc @@ -8,7 +8,9 @@ Identifies attempts to modify a service path setting using sc.exe. Attackers may *Rule indices*: * logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* * endgame-* +* logs-system.security* *Severity*: low @@ -31,8 +33,9 @@ Identifies attempts to modify a service path setting using sc.exe. Attackers may * Data Source: Elastic Endgame * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon -*Version*: 3 +*Version*: 4 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/service-path-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/service-path-modification.asciidoc index cccc6885ce..24d628e2f2 100644 --- a/docs/detections/prebuilt-rules/rule-details/service-path-modification.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/service-path-modification.asciidoc @@ -9,6 +9,7 @@ Identifies attempts to modify a service path by an unusual process. Attackers ma * logs-endpoint.events.registry-* * endgame-* +* logs-windows.sysmon_operational-* *Severity*: low @@ -31,8 +32,9 @@ Identifies attempts to modify a service path by an unusual process. Attackers ma * Data Source: Elastic Endgame * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon -*Version*: 2 +*Version*: 3 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/shadow-file-modification.asciidoc b/docs/detections/prebuilt-rules/rule-details/shadow-file-modification.asciidoc new file mode 100644 index 0000000000..d696685e44 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/shadow-file-modification.asciidoc @@ -0,0 +1,107 @@ +[[shadow-file-modification]] +=== Shadow File Modification + +This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click Add integrations. +- In the query bar, search for Elastic Defend and select the integration to see more details about it. +- Click Add Elastic Defend. +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click Save and Continue. +- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and +file.path == "/etc/shadow" and file.Ext.original.path != null + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/rule-details/ssh-key-generated-via-ssh-keygen.asciidoc b/docs/detections/prebuilt-rules/rule-details/ssh-key-generated-via-ssh-keygen.asciidoc index 836b5e0600..8e1614c2b5 100644 --- a/docs/detections/prebuilt-rules/rule-details/ssh-key-generated-via-ssh-keygen.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/ssh-key-generated-via-ssh-keygen.asciidoc @@ -7,7 +7,7 @@ This rule identifies the creation of SSH keys using the ssh-keygen tool, which i *Rule indices*: -* logs-endpoint.events.process* +* logs-endpoint.events.file* * endgame-* *Severity*: low @@ -32,7 +32,7 @@ This rule identifies the creation of SSH keys using the ssh-keygen tool, which i * Data Source: Elastic Endgame * Data Source: Elastic Defend -*Version*: 1 +*Version*: 2 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-file-renamed-via-smb.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-file-renamed-via-smb.asciidoc index 3044c815c1..e92c21061c 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-file-renamed-via-smb.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-file-renamed-via-smb.asciidoc @@ -32,7 +32,7 @@ Identifies an incoming SMB connection followed by a suspicious file rename opera * Resources: Investigation Guide * Data Source: Elastic Defend -*Version*: 2 +*Version*: 3 *Rule authors*: @@ -101,10 +101,11 @@ Identifies an incoming SMB connection followed by a suspicious file rename opera sequence by host.id with maxspan=1s [network where host.os.type == "windows" and event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and - source.ip != "127.0.0.1" and source.ip != "::1"] + source.ip != "127.0.0.1" and source.ip != "::1" and + network.type == "ipv4" and not endswith(source.address, destination.address)] [file where host.os.type == "windows" and event.action == "rename" and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and - file.extension != null and file.Ext.entropy >= 6 and + file.extension != null and file.Ext.entropy >= 6 and file.path : "C:\\Users\\*" and file.Ext.original.name : ("*.jpg", "*.bmp", "*.png", "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.lnk") and not file.extension : ("jpg", "bmp", "png", "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "*.lnk")] with runs=3 diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-inter-process-communication-via-outlook.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-inter-process-communication-via-outlook.asciidoc index 629d7ff1a4..6931a0c68c 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-inter-process-communication-via-outlook.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-inter-process-communication-via-outlook.asciidoc @@ -31,7 +31,7 @@ Detects Inter-Process Communication with Outlook via Component Object Model from * Tactic: Collection * Data Source: Elastic Defend -*Version*: 6 +*Version*: 7 *Rule authors*: @@ -57,9 +57,9 @@ sequence with maxspan=1m (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) ) ) -] by process.executable +] by process.entity_id [process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and - process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable + process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-365-mail-access-by-clientappid.asciidoc b/docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-365-mail-access-by-clientappid.asciidoc index 785d9a4912..b00dc25c29 100644 --- a/docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-365-mail-access-by-clientappid.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-365-mail-access-by-clientappid.asciidoc @@ -31,7 +31,7 @@ Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was ob * Use Case: Configuration Audit * Tactic: Initial Access -*Version*: 106 +*Version*: 107 *Rule authors*: @@ -85,9 +85,9 @@ event.dataset:o365.audit and event.provider:Exchange and event.category:web and not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e366-9d6d-4c70-b22a-34c7ea72d73d" or "a3883eba-fbe9-48bd-9ed3-dca3e0e84250" or "d3590ed6-52b3-4102-aeff-aad2292ab01c" or "27922004-5251-4030-b22d-91ecd9a37ea4" or "1fec8e78-bce4-4aaf-ab1b-5451cc387264" or "26a7ee05-5602-4d76-a7ba-eae8b7b67941" or "00000002-0000-0000-c000-000000000000" or - "00000002-0000-0ff1-ce00-000000000000" or "00000003-0000-0000-c000-000000000000" or "ffcb16e8-f789-467c-8ce9-f826a080d987" or - "00000003-0000-0ff1-ce00-000000000000" or "00000004-0000-0ff1-ce00-000000000000" or "00000005-0000-0ff1-ce00-000000000000" or - "00000006-0000-0ff1-ce00-000000000000" or "00000007-0000-0000-c000-000000000000" or "00000007-0000-0ff1-ce00-000000000000" or + "00000002-0000-0ff1-ce00-000000000000" or "ffcb16e8-f789-467c-8ce9-f826a080d987" or "00000003-0000-0ff1-ce00-000000000000" or + "00000004-0000-0ff1-ce00-000000000000" or "00000005-0000-0ff1-ce00-000000000000" or "00000006-0000-0ff1-ce00-000000000000" or + "00000007-0000-0000-c000-000000000000" or "00000007-0000-0ff1-ce00-000000000000" or "00000009-0000-0000-c000-000000000000" or "0000000c-0000-0000-c000-000000000000" or "00000015-0000-0000-c000-000000000000" or "0000001a-0000-0000-c000-000000000000" or "00b41c95-dab0-4487-9791-b9d2c32c80f2" or "022907d3-0f1b-48f7-badc-1ba6abab6d66" or "04b07795-8ddb-461a-bbee-02f9e1bf7b46" or "08e18876-6177-487e-b8b5-cf950c1e598c" or "0cb7b9ec-5336-483b-bc31-b15b5788de71" or @@ -101,8 +101,8 @@ not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e36 "2d4d3d8e-2be3-4bef-9f87-7875a61c29de" or "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8" or "3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7" or "35d54a08-36c9-4847-9018-93934c62740c" or "37182072-3c9c-4f6a-a4b3-b3f91cacffce" or "38049638-cc2c-4cde-abe4-4479d721ed44" or "3c896ded-22c5-450f-91f6-3d1ef0848f6e" or "4345a7b9-9a63-4910-a426-35363201d503" or "45a330b1-b1ec-4cc1-9161-9f03992aa49f" or - "47629505-c2b6-4a80-adb1-9b3a3d233b7b" or "4765445b-32c6-49b0-83e6-1d93765276ca" or "497effe9-df71-4043-a8bb-14cf78c4b63b" or - "4b233688-031c-404b-9a80-a4f3f2351f90" or "4d5c2d63-cf83-4365-853c-925fd1a64357" or "51be292c-a17e-4f17-9a7e-4b661fb16dd2" or + "4765445b-32c6-49b0-83e6-1d93765276ca" or "497effe9-df71-4043-a8bb-14cf78c4b63b" or "4b233688-031c-404b-9a80-a4f3f2351f90" or + "4d5c2d63-cf83-4365-853c-925fd1a64357" or "51be292c-a17e-4f17-9a7e-4b661fb16dd2" or "5572c4c0-d078-44ce-b81c-6cbf8d3ed39e" or "5e3ce6c0-2b1f-4285-8d4b-75ee78787346" or "60c8bde5-3167-4f92-8fdb-059f6176dc0f" or "61109738-7d2b-4a0b-9fe3-660b1ff83505" or "62256cef-54c0-4cb4-bcac-4c67989bdc40" or "6253bca8-faf2-4587-8f2f-b056d80998a7" or "65d91a3d-ab74-42e6-8a2f-0add61688c74" or "66a88757-258c-4c72-893c-3e8bed4d6899" or "67e3df25-268a-4324-a550-0de1c7f97287" or @@ -124,7 +124,8 @@ not o365.audit.ClientAppId : ("13937bba-652e-4c46-b222-3003f4d1ff97" or "6326e36 "d73f4b35-55c9-48c7-8b10-651f6f2acb2e" or "d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0" or "de8bc8b5-d9f9-48b1-a8ad-b748da725064" or "dfe74da8-9279-44ec-8fb2-2aed9e1c73d0" or "e1ef36fd-b883-4dbf-97f0-9ece4b576fc6" or "e64aa8bc-8eb4-40e2-898b-cf261a25954f" or "e9f49c6b-5ce5-44c8-925d-015017e9f7ad" or "ee272b19-4411-433f-8f28-5c13cb6fd407" or "f5eaa862-7f08-448c-9c4e-f4047d4d4521" or - "fb78d390-0c51-40cd-8e17-fdbfab77341b" or "fc0f3af4-6835-4174-b806-f7db311fd2f3" or "fdf9885b-dd37-42bf-82e5-c3129ef5a302") + "fb78d390-0c51-40cd-8e17-fdbfab77341b" or "fc0f3af4-6835-4174-b806-f7db311fd2f3" or "fdf9885b-dd37-42bf-82e5-c3129ef5a302" +) ---------------------------------- diff --git a/docs/detections/prebuilt-rules/rule-details/system-information-discovery-via-windows-command-shell.asciidoc b/docs/detections/prebuilt-rules/rule-details/system-information-discovery-via-windows-command-shell.asciidoc index 5196d8eae0..462bbff9c8 100644 --- a/docs/detections/prebuilt-rules/rule-details/system-information-discovery-via-windows-command-shell.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/system-information-discovery-via-windows-command-shell.asciidoc @@ -10,6 +10,8 @@ Identifies the execution of discovery commands to enumerate system information, * winlogbeat-* * logs-windows.* * logs-endpoint.events.process-* +* endgame-* +* logs-system.security* *Severity*: low @@ -33,8 +35,9 @@ Identifies the execution of discovery commands to enumerate system information, * Resources: Investigation Guide * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Elastic Endgame -*Version*: 10 +*Version*: 11 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/tampering-of-shell-command-line-history.asciidoc b/docs/detections/prebuilt-rules/rule-details/tampering-of-shell-command-line-history.asciidoc index 3f53ba270f..114f384976 100644 --- a/docs/detections/prebuilt-rules/rule-details/tampering-of-shell-command-line-history.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/tampering-of-shell-command-line-history.asciidoc @@ -35,7 +35,7 @@ Adversaries may attempt to clear or disable the Bash command-line history in an * Data Source: Elastic Endgame * Data Source: Auditd Manager -*Version*: 105 +*Version*: 106 *Rule authors*: @@ -70,7 +70,7 @@ process where event.action in ("exec", "exec_event", "executed", "process_starte (process.args : "truncate" and process.args : "-s0")) and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history", ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or - (process.name : "history" and process.args : "-c") or + (process.args : "history" and process.args : "-c") or (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or (process.args : "unset" and process.args : "HISTFILE") or (process.args : "set" and process.args : "history" and process.args : "+o") diff --git a/docs/detections/prebuilt-rules/rule-details/unusual-file-creation-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/rule-details/unusual-file-creation-alternate-data-stream.asciidoc index 119e9c3bf8..8e56594a63 100644 --- a/docs/detections/prebuilt-rules/rule-details/unusual-file-creation-alternate-data-stream.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/unusual-file-creation-alternate-data-stream.asciidoc @@ -33,7 +33,7 @@ Identifies suspicious creation of Alternate Data Streams on highly targeted file * Data Source: Elastic Defend * Data Source: Sysmon -*Version*: 114 +*Version*: 115 *Rule authors*: @@ -136,36 +136,41 @@ file where host.os.type == "windows" and event.type == "creation" and file.path : "C:\\*:*" and not file.path : ("C:\\*:zone.identifier*", - "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA") and - - not process.executable : - ("?:\\windows\\System32\\svchost.exe", - "?:\\Windows\\System32\\inetsrv\\w3wp.exe", - "?:\\Windows\\explorer.exe", - "?:\\Windows\\System32\\sihost.exe", - "?:\\Windows\\System32\\PickerHost.exe", - "?:\\Windows\\System32\\SearchProtocolHost.exe", - "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", - "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe", - "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", - "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe", - "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", - "?:\\Program Files\\Mozilla Firefox\\firefox.exe", - "?:\\Program Files(x86)\\Microsoft Office\\root\\*\\EXCEL.EXE", - "?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE", - "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE", - "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE", - "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE", - "?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE", - "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE", - "?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE") and + "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA", + "C:\\Windows\\CSC\\*:CscBitmapStream") and + + not process.executable : ( + "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe", + "?:\\Windows\\explorer.exe", + "?:\\Windows\\System32\\DataExchangeHost.exe", + "?:\\Windows\\System32\\drivers\\Intel\\ICPS\\IntelConnectivityNetworkService.exe", + "?:\\Windows\\System32\\drivers\\RivetNetworks\\Killer\\KillerNetworkService.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\System32\\PickerHost.exe", + "?:\\Windows\\System32\\RuntimeBroker.exe", + "?:\\Windows\\System32\\SearchProtocolHost.exe", + "?:\\Windows\\System32\\sihost.exe", + "?:\\windows\\System32\\svchost.exe" + ) and file.extension : ( "pdf", "dll", - "png", "exe", "dat", "com", diff --git a/docs/detections/prebuilt-rules/rule-details/windows-system-information-discovery.asciidoc b/docs/detections/prebuilt-rules/rule-details/windows-system-information-discovery.asciidoc index ec72094816..10d50b5e03 100644 --- a/docs/detections/prebuilt-rules/rule-details/windows-system-information-discovery.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/windows-system-information-discovery.asciidoc @@ -11,6 +11,7 @@ Detects the execution of commands used to discover information about the system, * logs-endpoint.events.process-* * logs-windows.* * endgame-* +* logs-system.security* *Severity*: low @@ -34,7 +35,7 @@ Detects the execution of commands used to discover information about the system, * Data Source: Elastic Defend * Data Source: Elastic Endgame -*Version*: 4 +*Version*: 5 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc b/docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc index 84dbb6f992..f5b018eb09 100644 --- a/docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc @@ -8,6 +8,9 @@ Identifies the use of wmic.exe to run commands on remote hosts. While this can b *Rule indices*: * logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* +* logs-system.security* *Severity*: low @@ -29,8 +32,10 @@ Identifies the use of wmic.exe to run commands on remote hosts. While this can b * Tactic: Lateral Movement * Data Source: Elastic Defend * Rule Type: BBR +* Data Source: Sysmon +* Data Source: Elastic Endgame -*Version*: 4 +*Version*: 5 *Rule authors*: diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 29e5324b81..6862ed133f 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -109,3 +109,5 @@ include::detections/prebuilt-rules/downloadable-packages/8-13-9/prebuilt-rules-8 include::detections/prebuilt-rules/downloadable-packages/8-13-10/prebuilt-rules-8-13-10-appendix.asciidoc[] include::detections/prebuilt-rules/downloadable-packages/8-13-11/prebuilt-rules-8-13-11-appendix.asciidoc[] + +include::detections/prebuilt-rules/downloadable-packages/8-13-12/prebuilt-rules-8-13-12-appendix.asciidoc[]