From ca52f20a4e1b91ee843aa06ef439570b68bb1747 Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 15 May 2024 19:41:33 +0200 Subject: [PATCH] [Detection Rules] Adding Documents for v8.14.1 Pre-Built Detection Rules (#5216) --- ...-keychain-credentials-directories.asciidoc | 136 + ...behavior-detected-elastic-endgame.asciidoc | 59 + ...xecution-at-volume-root-directory.asciidoc | 73 + ...ion-with-administrator-privileges.asciidoc | 111 + ...authorization-plugin-modification.asciidoc | 106 + ...credential-fetch-via-assumed-role.asciidoc | 124 + ...-component-object-model-hijacking.asciidoc | 208 ++ ...n-to-commonly-abused-web-services.asciidoc | 297 +++ ...4-1-container-workload-protection.asciidoc | 60 + ...-dumping-detected-elastic-endgame.asciidoc | 76 + ...dumping-prevented-elastic-endgame.asciidoc | 76 + ...pulation-detected-elastic-endgame.asciidoc | 72 + ...ulation-prevented-elastic-endgame.asciidoc | 72 + ...2-ami-shared-with-another-account.asciidoc | 118 + ...ilt-rule-8-14-1-endpoint-security.asciidoc | 59 + ...s-or-groups-via-built-in-commands.asciidoc | 127 + ...-exploit-detected-elastic-endgame.asciidoc | 77 + ...exploit-prevented-elastic-endgame.asciidoc | 77 + ...built-rule-8-14-1-external-alerts.asciidoc | 68 + ...ync-plugin-registered-and-enabled.asciidoc | 116 + ...ssword-retrieval-via-command-line.asciidoc | 117 + ...ller-package-spawns-network-event.asciidoc | 119 + ...-malware-detected-elastic-endgame.asciidoc | 59 + ...malware-prevented-elastic-endgame.asciidoc | 59 + ...-via-unsigned-or-untrusted-parent.asciidoc | 116 + ...on-theft-detected-elastic-endgame.asciidoc | 72 + ...n-theft-prevented-elastic-endgame.asciidoc | 72 + ...-via-docker-shortcut-modification.asciidoc | 101 + ...sistence-via-folder-action-script.asciidoc | 108 + ...tial-admin-group-account-addition.asciidoc | 107 + ...e-download-via-a-headless-browser.asciidoc | 108 + ...ential-persistence-via-login-hook.asciidoc | 117 + ...ershell-hacktool-script-by-author.asciidoc | 115 + ...h-count-of-readme-files-by-system.asciidoc | 125 + ...somware-note-file-dropped-via-smb.asciidoc | 136 + ...e-infection-across-multiple-hosts.asciidoc | 66 + ...njection-detected-elastic-endgame.asciidoc | 72 + ...jection-prevented-elastic-endgame.asciidoc | 72 + ...pt-for-credentials-with-osascript.asciidoc | 111 + ...-by-unsigned-or-untrusted-process.asciidoc | 110 + ...nsomware-detected-elastic-endgame.asciidoc | 59 + ...somware-prevented-elastic-endgame.asciidoc | 59 + ...r-query-log-configuration-deleted.asciidoc | 123 + ...ell-execution-via-apple-scripting.asciidoc | 101 + ...-suspicious-browser-child-process.asciidoc | 128 + ...1-suspicious-file-renamed-via-smb.asciidoc | 138 + ...ous-macos-ms-office-child-process.asciidoc | 168 ++ ...web-browser-sensitive-file-access.asciidoc | 115 + ...systemkey-access-via-command-line.asciidoc | 104 + ...via-microsoft-common-console-file.asciidoc | 124 + ...-1-webproxy-settings-modification.asciidoc | 104 + .../prebuilt-rules-8-14-1-appendix.asciidoc | 57 + .../prebuilt-rules-8-14-1-summary.asciidoc | 114 + ...ebuilt-rules-downloadable-updates.asciidoc | 128 +- .../prebuilt-rules-reference.asciidoc | 2228 +++++++++++------ .../prebuilt-rules/rule-desc-index.asciidoc | 468 +++- .../a-scheduled-task-was-created.asciidoc | 78 +- .../a-scheduled-task-was-updated.asciidoc | 85 +- ...l-process-id-or-lock-file-created.asciidoc | 198 +- .../abnormally-large-dns-response.asciidoc | 124 +- ...ed-default-telnet-port-connection.asciidoc | 114 +- ...ess-to-a-sensitive-ldap-attribute.asciidoc | 100 +- ...-keychain-credentials-directories.asciidoc | 183 +- .../accessing-outlook-data-files.asciidoc | 69 + ...ured-with-never-expiring-password.asciidoc | 105 +- ...covery-command-via-system-account.asciidoc | 228 +- ...roup-discovery-via-built-in-tools.asciidoc | 92 + .../account-password-reset-remotely.asciidoc | 139 +- ...-hidden-file-attribute-via-attrib.asciidoc | 177 +- .../adfind-command-activity.asciidoc | 215 +- ...vileges-assigned-to-an-okta-group.asciidoc | 75 +- ...tor-role-assigned-to-an-okta-user.asciidoc | 66 +- .../adminsdholder-backdoor.asciidoc | 62 +- ...insdholder-sdprop-exclusion-added.asciidoc | 154 +- .../adobe-hijack-persistence.asciidoc | 203 +- ...behavior-detected-elastic-endgame.asciidoc | 66 +- ...gent-spoofing-mismatched-agent-id.asciidoc | 43 +- ...g-multiple-hosts-using-same-agent.asciidoc | 40 +- ...xecution-at-volume-root-directory.asciidoc | 73 + ...anomalous-linux-compiler-activity.asciidoc | 56 +- ...us-process-for-a-linux-population.asciidoc | 119 +- ...-process-for-a-windows-population.asciidoc | 156 +- ...nomalous-windows-process-creation.asciidoc | 134 +- ...on-followed-by-network-connection.asciidoc | 123 +- ...ion-with-administrator-privileges.asciidoc | 92 +- ...-added-to-google-workspace-domain.asciidoc | 144 +- ...rom-blocklist-in-google-workspace.asciidoc | 120 +- ...chive-file-with-unusual-extension.asciidoc | 83 + .../at-exe-command-lateral-movement.asciidoc | 81 + ...tempt-to-clear-kernel-ring-buffer.asciidoc | 114 + .../attempt-to-create-okta-api-token.asciidoc | 76 +- ...to-deactivate-an-okta-application.asciidoc | 101 +- ...o-deactivate-an-okta-network-zone.asciidoc | 105 +- ...to-deactivate-an-okta-policy-rule.asciidoc | 123 +- ...empt-to-deactivate-an-okta-policy.asciidoc | 123 +- ...mpt-to-delete-an-okta-application.asciidoc | 68 +- ...pt-to-delete-an-okta-network-zone.asciidoc | 105 +- ...mpt-to-delete-an-okta-policy-rule.asciidoc | 112 +- .../attempt-to-delete-an-okta-policy.asciidoc | 123 +- .../attempt-to-disable-gatekeeper.asciidoc | 91 +- ...t-to-disable-iptables-or-firewall.asciidoc | 117 + ...attempt-to-disable-syslog-service.asciidoc | 133 +- ...ttempt-to-enable-the-root-account.asciidoc | 86 +- ...mpt-to-install-kali-linux-via-wsl.asciidoc | 73 + ...tempt-to-install-root-certificate.asciidoc | 97 +- ...mpt-to-modify-an-okta-application.asciidoc | 68 +- ...pt-to-modify-an-okta-network-zone.asciidoc | 132 +- ...mpt-to-modify-an-okta-policy-rule.asciidoc | 128 +- .../attempt-to-modify-an-okta-policy.asciidoc | 112 +- ...-mount-smb-share-via-command-line.asciidoc | 108 +- ...-factors-for-an-okta-user-account.asciidoc | 75 +- .../attempt-to-revoke-okta-api-token.asciidoc | 106 +- ...ndpoint-security-kernel-extension.asciidoc | 94 +- .../attempted-bypass-of-okta-mfa.asciidoc | 117 +- .../attempted-private-key-access.asciidoc | 82 + ...orce-a-microsoft-365-user-account.asciidoc | 113 +- ...-brute-force-an-okta-user-account.asciidoc | 112 +- ...authorization-plugin-modification.asciidoc | 97 +- ...se-denied-models-by-a-single-user.asciidoc | 69 + ...s-within-a-single-blocked-request.asciidoc | 70 + ...s-by-a-single-user-over-a-session.asciidoc | 69 + .../aws-cloudtrail-log-created.asciidoc | 84 +- .../aws-cloudtrail-log-deleted.asciidoc | 140 +- .../aws-cloudtrail-log-suspended.asciidoc | 137 +- .../aws-cloudtrail-log-updated.asciidoc | 142 +- .../aws-cloudwatch-alarm-deletion.asciidoc | 131 +- ...aws-cloudwatch-log-group-deletion.asciidoc | 144 +- ...ws-cloudwatch-log-stream-deletion.asciidoc | 144 +- .../aws-config-resource-deletion.asciidoc | 142 +- ...ws-configuration-recorder-stopped.asciidoc | 85 +- ...s-searched-for-inside-a-container.asciidoc | 70 + ...letion-of-rds-instance-or-cluster.asciidoc | 104 +- ...credential-fetch-via-assumed-role.asciidoc | 124 + .../aws-ec2-encryption-disabled.asciidoc | 86 +- ...l-network-packet-capture-detected.asciidoc | 77 +- ...work-access-control-list-creation.asciidoc | 87 +- ...work-access-control-list-deletion.asciidoc | 90 +- .../aws-ec2-snapshot-activity.asciidoc | 127 +- .../aws-ec2-vm-export-failure.asciidoc | 64 +- ...-efs-file-system-or-mount-deleted.asciidoc | 76 +- ...lasticache-security-group-created.asciidoc | 75 +- ...ecurity-group-modified-or-deleted.asciidoc | 80 +- ...ntbridge-rule-disabled-or-deleted.asciidoc | 75 +- .../aws-execution-via-system-manager.asciidoc | 138 +- .../aws-guardduty-detector-deletion.asciidoc | 88 +- ...aws-iam-assume-role-policy-update.asciidoc | 131 +- ...brute-force-of-assume-role-policy.asciidoc | 139 +- ...ws-iam-deactivation-of-mfa-device.asciidoc | 126 +- .../aws-iam-group-creation.asciidoc | 89 +- .../aws-iam-group-deletion.asciidoc | 81 +- ...s-iam-login-profile-added-to-user.asciidoc | 75 + ...s-iam-password-recovery-requested.asciidoc | 82 +- .../aws-iam-user-addition-to-group.asciidoc | 131 +- ...isabled-or-scheduled-for-deletion.asciidoc | 48 +- ...brute-force-of-root-user-identity.asciidoc | 67 +- ...aws-management-console-root-login.asciidoc | 129 +- .../aws-rds-cluster-creation.asciidoc | 89 +- ...aws-rds-instance-cluster-stoppage.asciidoc | 81 +- .../aws-rds-instance-creation.asciidoc | 69 +- .../aws-rds-security-group-creation.asciidoc | 71 +- .../aws-rds-security-group-deletion.asciidoc | 67 +- .../aws-rds-snapshot-export.asciidoc | 62 +- .../aws-rds-snapshot-restored.asciidoc | 74 +- .../aws-redshift-cluster-creation.asciidoc | 62 +- .../aws-root-login-without-mfa.asciidoc | 135 +- ...-53-domain-transfer-lock-disabled.asciidoc | 64 +- ...in-transferred-to-another-account.asciidoc | 65 +- .../aws-route-table-created.asciidoc | 78 +- ...s-route-table-modified-or-deleted.asciidoc | 72 +- ...hosted-zone-associated-with-a-vpc.asciidoc | 68 +- ...-s3-bucket-configuration-deletion.asciidoc | 88 +- ...bucket-enumeration-or-brute-force.asciidoc | 147 ++ .../rule-details/aws-saml-activity.asciidoc | 76 +- ...up-configuration-change-detection.asciidoc | 100 +- ...oken-service-sts-assumerole-usage.asciidoc | 83 +- .../aws-sts-getsessiontoken-abuse.asciidoc | 76 +- .../aws-vpc-flow-logs-deletion.asciidoc | 137 +- ...-waf-access-control-list-deletion.asciidoc | 88 +- ...s-waf-rule-or-rule-group-deletion.asciidoc | 98 +- ...ctive-directory-high-risk-sign-in.asciidoc | 116 +- ...-high-risk-user-sign-in-heuristic.asciidoc | 100 +- ...tive-directory-powershell-sign-in.asciidoc | 122 +- ...lobal-administrator-role-assigned.asciidoc | 67 +- ...pression-rule-created-or-modified.asciidoc | 69 +- ...plication-credential-modification.asciidoc | 71 +- .../azure-automation-account-created.asciidoc | 84 +- ...ation-runbook-created-or-modified.asciidoc | 89 +- .../azure-automation-runbook-deleted.asciidoc | 99 +- .../azure-automation-webhook-created.asciidoc | 85 +- ...ntainer-access-level-modification.asciidoc | 86 +- ...ure-blob-permissions-modification.asciidoc | 75 +- ...mand-execution-on-virtual-machine.asciidoc | 84 +- ...onditional-access-policy-modified.asciidoc | 86 +- ...zure-diagnostic-settings-deletion.asciidoc | 87 +- ...orization-rule-created-or-updated.asciidoc | 88 +- .../azure-event-hub-deletion.asciidoc | 91 +- ...re-external-guest-user-invitation.asciidoc | 81 +- .../azure-firewall-policy-deletion.asciidoc | 90 +- ...ation-firewall-waf-policy-deleted.asciidoc | 65 +- ...l-network-packet-capture-detected.asciidoc | 74 +- ...strator-role-addition-to-pim-user.asciidoc | 91 +- .../azure-key-vault-modified.asciidoc | 87 +- .../azure-kubernetes-events-deleted.asciidoc | 79 +- .../azure-kubernetes-pods-deleted.asciidoc | 70 +- ...e-kubernetes-rolebindings-created.asciidoc | 70 +- .../azure-network-watcher-deletion.asciidoc | 90 +- ...identity-management-role-modified.asciidoc | 124 +- .../azure-resource-group-deletion.asciidoc | 90 +- .../azure-service-principal-addition.asciidoc | 119 +- ...rvice-principal-credentials-added.asciidoc | 67 +- ...e-storage-account-key-regenerated.asciidoc | 84 +- ...etwork-device-modified-or-deleted.asciidoc | 112 +- ...base32-encoding-decoding-activity.asciidoc | 130 +- .../bash-shell-profile-modification.asciidoc | 81 +- .../binary-content-copy-via-cmd-exe.asciidoc | 76 + ...uted-from-shared-memory-directory.asciidoc | 110 +- .../rule-details/bitsadmin-activity.asciidoc | 86 + .../bpf-filter-applied-using-tc.asciidoc | 91 +- .../browser-extension-install.asciidoc | 76 + .../bypass-uac-via-event-viewer.asciidoc | 234 +- .../cap-sys-admin-assigned-to-binary.asciidoc | 96 + .../chkconfig-service-add.asciidoc | 192 +- .../clearing-windows-console-history.asciidoc | 160 +- .../clearing-windows-event-logs.asciidoc | 218 +- ...strike-command-and-control-beacon.asciidoc | 90 +- ...dification-through-built-in-tools.asciidoc | 135 + ...icy-modification-through-registry.asciidoc | 146 ++ ...-execution-via-solarwinds-process.asciidoc | 115 +- ...command-prompt-network-connection.asciidoc | 187 +- ...ell-activity-started-via-rundll32.asciidoc | 126 +- .../component-object-model-hijacking.asciidoc | 319 +-- ...ion-dll-loaded-by-unusual-process.asciidoc | 78 + ...wned-by-suspicious-parent-process.asciidoc | 191 +- ...ed-free-ssl-certificate-providers.asciidoc | 113 +- ...n-to-commonly-abused-web-services.asciidoc | 479 ++-- ...on-to-external-network-via-telnet.asciidoc | 151 +- ...on-to-internal-network-via-telnet.asciidoc | 151 +- ...nt-utility-run-inside-a-container.asciidoc | 60 + .../container-workload-protection.asciidoc | 60 + ...el-process-with-unusual-arguments.asciidoc | 121 +- .../creation-of-a-dns-named-record.asciidoc | 95 + ...on-of-a-hidden-local-user-account.asciidoc | 121 +- ...s-and-directories-via-commandline.asciidoc | 149 +- ...-of-hidden-launch-agent-or-daemon.asciidoc | 117 +- ...idden-login-item-via-apple-script.asciidoc | 98 +- ...tion-of-hidden-shared-object-file.asciidoc | 110 +- .../creation-of-kernel-module.asciidoc | 69 + ...eation-of-settingcontent-ms-files.asciidoc | 83 + ...new-gpo-scheduled-task-or-service.asciidoc | 122 +- ...f-domain-backup-dpapi-private-key.asciidoc | 111 +- ...-modification-of-root-certificate.asciidoc | 215 +- ...isition-via-registry-hive-dumping.asciidoc | 175 +- ...-dumping-detected-elastic-endgame.asciidoc | 81 +- ...dumping-prevented-elastic-endgame.asciidoc | 81 +- ...pulation-detected-elastic-endgame.asciidoc | 79 +- ...ulation-prevented-elastic-endgame.asciidoc | 79 +- ...ged-by-previously-unknown-process.asciidoc | 226 ++ ...-privileged-access-security-error.asciidoc | 60 +- ...cess-security-recommended-monitor.asciidoc | 68 +- ...lt-strike-team-server-certificate.asciidoc | 94 +- .../delayed-execution-via-ping.asciidoc | 148 ++ ...te-volume-usn-journal-with-fsutil.asciidoc | 151 +- ...ting-backup-catalogs-with-wbadmin.asciidoc | 177 +- .../direct-outbound-smb-connection.asciidoc | 198 +- ...ecurity-logs-using-built-in-tools.asciidoc | 183 +- ...-windows-firewall-rules-via-netsh.asciidoc | 175 +- ...control-via-registry-modification.asciidoc | 178 +- ...-security-settings-via-powershell.asciidoc | 166 +- .../discovery-of-domain-groups.asciidoc | 68 + ...t-capabilities-via-built-in-tools.asciidoc | 66 + ...s-over-https-enabled-via-registry.asciidoc | 90 +- .../rule-details/dns-tunneling.asciidoc | 51 +- ...-google-workspace-trusted-domains.asciidoc | 145 +- .../downloaded-shortcut-files.asciidoc | 79 + .../downloaded-url-files.asciidoc | 77 + ...ount-hashes-via-built-in-commands.asciidoc | 83 +- ...hain-content-via-security-command.asciidoc | 87 +- .../rule-details/dynamic-linker-copy.asciidoc | 177 +- ...2-ami-shared-with-another-account.asciidoc | 118 + .../eggshell-backdoor-execution.asciidoc | 51 +- .../elastic-agent-service-terminated.asciidoc | 127 +- ...nd-rules-creation-or-modification.asciidoc | 98 +- ...-host-network-discovery-via-netsh.asciidoc | 128 +- ...executable-stored-in-the-registry.asciidoc | 70 +- ...ncrypting-files-with-winrar-or-7z.asciidoc | 178 +- .../rule-details/endpoint-security.asciidoc | 48 +- ...ing-domain-trusts-via-dsquery-exe.asciidoc | 121 + ...ting-domain-trusts-via-nltest-exe.asciidoc | 126 + ...tion-command-spawned-via-wmiprvse.asciidoc | 141 +- ...eration-of-administrator-accounts.asciidoc | 192 +- ...ration-of-kernel-modules-via-proc.asciidoc | 84 + .../enumeration-of-kernel-modules.asciidoc | 111 +- ...rivileged-local-groups-membership.asciidoc | 259 +- ...s-or-groups-via-built-in-commands.asciidoc | 176 +- .../esxi-discovery-via-find.asciidoc | 104 + .../esxi-discovery-via-grep.asciidoc | 106 + ...-timestomping-using-touch-command.asciidoc | 109 + ...nge-mailbox-export-via-powershell.asciidoc | 130 + ...creation-with-multiple-extensions.asciidoc | 114 +- ...table-file-with-unusual-extension.asciidoc | 80 + ...le-masquerading-as-kernel-process.asciidoc | 110 + ...ble-media-with-network-connection.asciidoc | 68 + ...om-unusual-directory-command-line.asciidoc | 560 ++--- .../execution-of-an-unsigned-service.asciidoc | 80 + ...ecution-of-com-object-via-xwizard.asciidoc | 93 +- ...n-or-modified-by-microsoft-office.asciidoc | 163 +- ...written-or-modified-by-pdf-reader.asciidoc | 164 +- ...-of-persistent-suspicious-program.asciidoc | 107 +- ...tron-child-process-node-js-module.asciidoc | 109 + ...ution-via-local-sxs-shared-module.asciidoc | 88 +- ...a-microsoft-dotnet-clickonce-host.asciidoc | 71 + ...isualstudio-pre-post-build-events.asciidoc | 108 + ...ssql-xp-cmdshell-stored-procedure.asciidoc | 155 ++ ...execution-via-tsclient-mountpoint.asciidoc | 82 +- ...n-via-windows-subsystem-for-linux.asciidoc | 76 + ...xplicit-credentials-via-scripting.asciidoc | 120 +- .../expired-or-revoked-driver-loaded.asciidoc | 75 + .../exploit-detected-elastic-endgame.asciidoc | 81 +- ...exploit-prevented-elastic-endgame.asciidoc | 81 +- ...g-exchange-mailbox-via-powershell.asciidoc | 181 +- .../rule-details/external-alerts.asciidoc | 62 +- ...p-lookup-from-non-browser-process.asciidoc | 248 +- ...r-added-to-google-workspace-group.asciidoc | 141 ++ ...irectory-permissions-modification.asciidoc | 73 + ...ed-or-archived-into-common-format.asciidoc | 168 ++ ...-deletion-in-suspicious-directory.asciidoc | 109 + .../file-creation-time-changed.asciidoc | 84 + .../file-deletion-via-shred.asciidoc | 112 +- ...able-via-chmod-inside-a-container.asciidoc | 76 + .../file-made-immutable-by-chattr.asciidoc | 107 +- ...ile-or-directory-deletion-command.asciidoc | 78 + ...odification-in-writable-directory.asciidoc | 123 +- ...ged-in-root-folder-of-recycle-bin.asciidoc | 67 + ...hed-inside-a-privileged-container.asciidoc | 65 + ...r-listener-established-via-netcat.asciidoc | 238 +- ...h-suspicious-extension-downloaded.asciidoc | 98 + ...ync-plugin-registered-and-enabled.asciidoc | 127 +- ...t-for-a-personal-access-token-pat.asciidoc | 62 + ...ub-repo-interaction-from-a-new-ip.asciidoc | 62 + ...ser-interaction-with-private-repo.asciidoc | 62 + ...-github-personal-access-token-pat.asciidoc | 66 + ...nce-of-ip-address-for-github-user.asciidoc | 65 + ...ta-user-session-started-via-proxy.asciidoc | 111 + ...s-token-pat-use-for-a-github-user.asciidoc | 66 + ...-github-personal-access-token-pat.asciidoc | 63 + ...-github-personal-access-token-pat.asciidoc | 66 + ...e-of-user-agent-for-a-github-user.asciidoc | 65 + ...value-accessed-in-secrets-manager.asciidoc | 132 + ...used-remote-access-tool-execution.asciidoc | 310 +++ .../first-time-seen-driver-loaded.asciidoc | 153 ++ ...ogin-from-third-party-application.asciidoc | 103 + ...seen-newcredentials-logon-process.asciidoc | 66 + .../first-time-seen-removable-device.asciidoc | 80 + ...me-seen-account-performing-dcsync.asciidoc | 164 ++ ...d-google-workspace-security-alert.asciidoc | 65 + ...er-mode-dumps-enabled-system-wide.asciidoc | 56 +- .../gcp-firewall-rule-creation.asciidoc | 84 +- .../gcp-firewall-rule-deletion.asciidoc | 84 +- .../gcp-firewall-rule-modification.asciidoc | 84 +- .../gcp-iam-custom-role-creation.asciidoc | 89 +- .../gcp-iam-role-deletion.asciidoc | 87 +- ...-iam-service-account-key-deletion.asciidoc | 90 +- .../gcp-logging-bucket-deletion.asciidoc | 93 +- .../gcp-logging-sink-deletion.asciidoc | 90 +- .../gcp-logging-sink-modification.asciidoc | 87 +- ...gcp-pub-sub-subscription-creation.asciidoc | 92 +- ...gcp-pub-sub-subscription-deletion.asciidoc | 90 +- .../gcp-pub-sub-topic-creation.asciidoc | 92 +- .../gcp-pub-sub-topic-deletion.asciidoc | 90 +- .../gcp-service-account-creation.asciidoc | 87 +- .../gcp-service-account-deletion.asciidoc | 87 +- .../gcp-service-account-disabled.asciidoc | 87 +- .../gcp-service-account-key-creation.asciidoc | 87 +- ...bucket-configuration-modification.asciidoc | 91 +- .../gcp-storage-bucket-deletion.asciidoc | 89 +- ...e-bucket-permissions-modification.asciidoc | 90 +- ...al-private-cloud-network-deletion.asciidoc | 89 +- ...tual-private-cloud-route-creation.asciidoc | 102 +- ...tual-private-cloud-route-deletion.asciidoc | 89 +- .../rule-details/github-app-deleted.asciidoc | 58 + ...github-owner-role-granted-to-user.asciidoc | 63 + .../github-pat-access-revoked.asciidoc | 60 + ...protected-branch-settings-changed.asciidoc | 63 + .../rule-details/github-repo-created.asciidoc | 60 + .../github-repository-deleted.asciidoc | 59 + ...iple-alerts-from-a-github-account.asciidoc | 56 + ...ub-user-blocked-from-organization.asciidoc | 60 + ...-transferred-via-google-workspace.asciidoc | 111 +- ...gle-workspace-2sv-policy-disabled.asciidoc | 107 +- ...ace-admin-role-assigned-to-a-user.asciidoc | 159 +- ...gle-workspace-admin-role-deletion.asciidoc | 141 +- ...main-wide-delegation-of-authority.asciidoc | 142 +- ...kspace-bitlocker-setting-disabled.asciidoc | 112 +- ...rkspace-custom-admin-role-created.asciidoc | 145 +- ...m-gmail-route-created-or-modified.asciidoc | 112 +- ...ey-s-accessed-from-anonymous-user.asciidoc | 89 + ...orkspace-mfa-enforcement-disabled.asciidoc | 161 +- ...ess-granted-to-custom-application.asciidoc | 154 ++ ...orkspace-password-policy-modified.asciidoc | 190 +- ...etplace-modified-to-allow-any-app.asciidoc | 123 +- .../google-workspace-role-modified.asciidoc | 147 +- ...ce-suspended-user-account-renewed.asciidoc | 84 + ...-user-organizational-unit-changed.asciidoc | 117 +- ...licy-abuse-for-privilege-addition.asciidoc | 141 +- ...ry-via-microsoft-gpresult-utility.asciidoc | 112 + ...fbaked-command-and-control-beacon.asciidoc | 90 +- ...s-and-directories-via-hidden-flag.asciidoc | 70 + ...ocess-arguments-in-an-rdp-session.asciidoc | 92 + ...high-mean-of-rdp-session-duration.asciidoc | 92 + ...r-of-cloned-github-repos-from-pat.asciidoc | 61 + ...password-reset-or-unlock-attempts.asciidoc | 124 +- ...ocess-and-or-service-terminations.asciidoc | 117 +- ...gh-number-of-process-terminations.asciidoc | 139 +- ...-variance-in-rdp-session-duration.asciidoc | 92 + ...s-via-windows-subsystem-for-linux.asciidoc | 71 + .../rule-details/hosts-file-modified.asciidoc | 187 +- .../hping-process-activity.asciidoc | 134 +- .../iis-http-logging-disabled.asciidoc | 156 +- ...-file-execution-options-injection.asciidoc | 129 +- ...age-loaded-with-invalid-signature.asciidoc | 70 + ...windows-update-auto-update-client.asciidoc | 165 +- ...to-an-unsecure-elasticsearch-node.asciidoc | 80 +- ...g-dcom-lateral-movement-via-mshta.asciidoc | 133 +- ...ng-dcom-lateral-movement-with-mmc.asciidoc | 121 +- ...hellbrowserwindow-or-shellwindows.asciidoc | 109 +- ...execution-via-powershell-remoting.asciidoc | 110 +- ...-execution-via-winrm-remote-shell.asciidoc | 92 +- ...and-execution-via-forfiles-pcalua.asciidoc | 66 + ...ingress-transfer-via-windows-bits.asciidoc | 170 ++ ...allation-of-custom-shim-databases.asciidoc | 89 +- ...tion-of-security-support-provider.asciidoc | 119 +- .../installutil-activity.asciidoc | 70 + ...rocess-making-network-connections.asciidoc | 89 +- ...nched-against-a-running-container.asciidoc | 79 + ...ctive-logon-by-an-unusual-process.asciidoc | 98 + ...ractive-terminal-spawned-via-perl.asciidoc | 119 +- ...ctive-terminal-spawned-via-python.asciidoc | 138 +- ...ipsec-nat-traversal-port-activity.asciidoc | 80 +- ...rberos-cached-credentials-dumping.asciidoc | 100 +- ...-authentication-disabled-for-user.asciidoc | 148 +- ...eros-traffic-from-unusual-process.asciidoc | 253 +- ...rnel-driver-load-by-non-root-user.asciidoc | 111 + .../rule-details/kernel-driver-load.asciidoc | 101 + ...load-or-unload-via-kexec-detected.asciidoc | 132 + .../kernel-module-load-via-insmod.asciidoc | 180 +- .../kernel-module-removal.asciidoc | 126 +- ...ssword-retrieval-via-command-line.asciidoc | 114 +- .../rule-details/kirbi-file-creation.asciidoc | 65 + .../krbtgt-delegation-backdoor.asciidoc | 71 +- ...etes-anonymous-request-authorized.asciidoc | 73 +- ...with-excessive-linux-capabilities.asciidoc | 83 +- ...es-denied-service-account-request.asciidoc | 52 +- ...ervice-created-with-type-nodeport.asciidoc | 68 +- ...-with-a-sensitive-hostpath-volume.asciidoc | 112 +- ...bernetes-pod-created-with-hostipc.asciidoc | 73 +- ...etes-pod-created-with-hostnetwork.asciidoc | 73 +- ...bernetes-pod-created-with-hostpid.asciidoc | 73 +- ...kubernetes-privileged-pod-created.asciidoc | 73 +- ...ent-of-controller-service-account.asciidoc | 72 +- ...es-suspicious-self-subject-review.asciidoc | 86 +- .../kubernetes-user-exec-into-pod.asciidoc | 81 +- ...teral-movement-via-startup-folder.asciidoc | 103 +- ...odification-and-immediate-loading.asciidoc | 104 +- ...odification-and-immediate-loading.asciidoc | 113 +- .../linux-group-creation.asciidoc | 158 ++ ...ux-init-pid-1-secret-dump-via-gdb.asciidoc | 106 + .../linux-process-hooking-via-gdb.asciidoc | 74 + ...shell-breakout-via-linux-binary-s.asciidoc | 245 ++ ...inux-system-information-discovery.asciidoc | 69 + .../linux-user-account-creation.asciidoc | 157 ++ ...ux-user-added-to-privileged-group.asciidoc | 174 ++ ...count-tokenfilter-policy-disabled.asciidoc | 69 +- .../local-scheduled-task-creation.asciidoc | 204 +- .../lsass-memory-dump-creation.asciidoc | 191 +- .../lsass-memory-dump-handle-access.asciidoc | 189 +- ...ss-process-access-via-windows-api.asciidoc | 195 ++ ...uest-predicted-to-be-a-dga-domain.asciidoc | 132 + ...with-a-high-dga-probability-score.asciidoc | 132 + ...redicted-to-be-malicious-activity.asciidoc | 134 + ...-high-malicious-probability-score.asciidoc | 135 + ...using-a-known-sunburst-dns-domain.asciidoc | 132 + ...ller-package-spawns-network-event.asciidoc | 147 +- .../malware-detected-elastic-endgame.asciidoc | 60 +- ...malware-prevented-elastic-endgame.asciidoc | 60 +- ...masquerading-space-after-filename.asciidoc | 56 +- ...-removed-from-github-organization.asciidoc | 60 + ...-dump-file-with-unusual-extension.asciidoc | 90 + ...-activation-for-okta-user-account.asciidoc | 120 + ...for-google-workspace-organization.asciidoc | 157 +- ...change-anti-phish-policy-deletion.asciidoc | 70 +- ...ange-anti-phish-rule-modification.asciidoc | 70 +- ...im-signing-configuration-disabled.asciidoc | 73 +- ...t-365-exchange-dlp-policy-removed.asciidoc | 70 +- ...ge-malware-filter-policy-deletion.asciidoc | 70 +- ...-malware-filter-rule-modification.asciidoc | 70 +- ...-management-group-role-assignment.asciidoc | 70 +- ...nge-safe-attachment-rule-disabled.asciidoc | 70 +- ...xchange-safe-link-policy-disabled.asciidoc | 70 +- ...-exchange-transport-rule-creation.asciidoc | 73 +- ...hange-transport-rule-modification.asciidoc | 70 +- ...lobal-administrator-role-assigned.asciidoc | 65 +- ...ft-365-impossible-travel-activity.asciidoc | 72 + ...365-inbox-forwarding-rule-created.asciidoc | 117 +- ...65-mass-download-by-a-single-user.asciidoc | 68 + ...365-potential-ransomware-activity.asciidoc | 64 +- ...m-application-interaction-allowed.asciidoc | 67 +- ...365-teams-external-access-enabled.asciidoc | 74 +- ...ft-365-teams-guest-access-enabled.asciidoc | 71 +- ...5-unusual-volume-of-file-deletion.asciidoc | 61 +- ...ser-restricted-from-sending-email.asciidoc | 61 +- ...engine-started-an-unusual-process.asciidoc | 127 +- ...ngine-started-by-a-script-process.asciidoc | 142 +- ...ngine-started-by-a-system-process.asciidoc | 120 +- ...-started-by-an-office-application.asciidoc | 199 +- ...ld-engine-using-an-alternate-name.asciidoc | 199 +- ...-um-spawning-suspicious-processes.asciidoc | 101 +- ...erver-um-writing-suspicious-files.asciidoc | 133 +- ...ge-transport-agent-install-script.asciidoc | 110 + ...ker-spawning-suspicious-processes.asciidoc | 103 +- ...iis-connection-strings-decryption.asciidoc | 99 +- ...s-service-account-password-dumped.asciidoc | 106 +- ...rosoft-windows-defender-tampering.asciidoc | 299 +-- ...mimikatz-memssp-log-file-detected.asciidoc | 146 +- ...cation-of-amsienable-registry-key.asciidoc | 167 +- ...odification-of-boot-configuration.asciidoc | 184 +- ...-shared-object-inside-a-container.asciidoc | 65 + ...amic-linker-preload-shared-object.asciidoc | 108 +- ...-via-unsigned-or-untrusted-parent.asciidoc | 116 + .../modification-of-openssh-binaries.asciidoc | 215 +- ...ari-settings-via-defaults-command.asciidoc | 100 +- ...ntication-module-or-configuration.asciidoc | 126 +- ...on-of-the-mspkiaccountcredentials.asciidoc | 59 +- ...tion-of-wdigest-security-provider.asciidoc | 177 +- ...n-okta-application-sign-on-policy.asciidoc | 82 +- .../rule-details/mofcomp-activity.asciidoc | 82 + ...hed-inside-a-privileged-container.asciidoc | 62 + ...ng-hidden-or-webdav-remote-shares.asciidoc | 125 +- ...o-security-registry-modifications.asciidoc | 180 +- ...sbuild-making-network-connections.asciidoc | 162 +- .../mshta-making-network-connections.asciidoc | 103 +- ...cation-disabled-for-an-azure-user.asciidoc | 122 +- ...t-att-ck-tactics-on-a-single-host.asciidoc | 28 +- .../multiple-alerts-involving-a-user.asciidoc | 45 + ...failure-followed-by-logon-success.asciidoc | 158 +- ...lure-from-the-same-source-address.asciidoc | 155 +- ...dresses-for-a-single-user-session.asciidoc | 79 + ...ssions-detected-for-a-single-user.asciidoc | 78 + ...-device-token-hash-behind-a-proxy.asciidoc | 138 + ...ltiple-vault-web-credentials-read.asciidoc | 81 +- .../rule-details/my-first-rule.asciidoc | 61 + ...espace-manipulation-using-unshare.asciidoc | 96 +- ...er-established-inside-a-container.asciidoc | 74 + ...t-listener-established-via-rlwrap.asciidoc | 105 + .../rule-details/netsh-helper-dll.asciidoc | 77 + ...network-activity-detected-via-cat.asciidoc | 185 ++ ...ork-activity-detected-via-kworker.asciidoc | 124 + ...rom-binary-with-rwx-memory-region.asciidoc | 103 + .../network-connection-via-certutil.asciidoc | 187 +- ...connection-via-compiled-html-file.asciidoc | 205 +- .../network-connection-via-msxsl.asciidoc | 107 +- ...-via-recently-compiled-executable.asciidoc | 114 + ...nnection-via-registration-utility.asciidoc | 268 +- ...work-connection-via-signed-binary.asciidoc | 210 +- ...level-authentication-nla-disabled.asciidoc | 71 + ...on-provider-registry-modification.asciidoc | 167 +- ...k-traffic-capture-via-cap-net-raw.asciidoc | 99 + ...affic-to-rare-destination-country.asciidoc | 39 +- ...oweddeviceid-added-via-powershell.asciidoc | 111 +- .../new-github-app-installed.asciidoc | 58 + .../new-github-owner-added.asciidoc | 63 + ...-authentication-behavior-detected.asciidoc | 104 + ...ntity-provider-idp-added-by-admin.asciidoc | 114 + ...new-or-modified-federation-domain.asciidoc | 78 +- ...ted-by-previously-unknown-process.asciidoc | 220 ++ .../new-systemd-timer-created.asciidoc | 187 ++ ...user-added-to-github-organization.asciidoc | 64 + .../nping-process-activity.asciidoc | 129 +- .../ntds-or-sam-database-file-copied.asciidoc | 191 +- ...sessionpipe-registry-modification.asciidoc | 82 +- ...orted-by-user-as-malware-or-phish.asciidoc | 65 +- ...ssive-single-sign-on-logon-errors.asciidoc | 73 +- ...spicious-mailbox-right-delegation.asciidoc | 87 +- ...o365-mailbox-audit-logging-bypass.asciidoc | 65 +- .../office-test-registry-persistence.asciidoc | 75 + ...force-or-password-spraying-attack.asciidoc | 109 +- .../okta-fastpass-phishing-detection.asciidoc | 78 + ...ign-in-events-via-third-party-idp.asciidoc | 128 + ...nsight-threat-suspected-promotion.asciidoc | 66 + .../okta-user-session-impersonation.asciidoc | 91 +- ...arted-from-different-geolocations.asciidoc | 79 + .../onedrive-malware-file-upload.asciidoc | 57 +- ...uled-task-activity-via-powershell.asciidoc | 108 +- .../parent-process-pid-spoofing.asciidoc | 142 +- .../peripheral-device-discovery.asciidoc | 151 +- ...on-theft-detected-elastic-endgame.asciidoc | 79 +- ...n-theft-prevented-elastic-endgame.asciidoc | 79 +- ...tence-via-bits-job-notify-cmdline.asciidoc | 79 +- ...ectoryservice-plugin-modification.asciidoc | 82 +- ...-via-docker-shortcut-modification.asciidoc | 97 +- ...sistence-via-folder-action-script.asciidoc | 132 +- ...tence-via-hidden-run-key-detected.asciidoc | 149 +- ...ript-or-desktop-file-modification.asciidoc | 220 +- ...sistence-via-login-or-logout-hook.asciidoc | 114 +- ...tence-via-microsoft-office-addins.asciidoc | 100 +- ...istence-via-microsoft-outlook-vba.asciidoc | 81 +- ...ersistence-via-powershell-profile.asciidoc | 131 +- ...stence-via-scheduled-job-creation.asciidoc | 87 +- ...ycontroller-scheduled-task-hijack.asciidoc | 147 +- ...pdate-orchestrator-service-hijack.asciidoc | 244 +- ...stence-via-wmi-event-subscription.asciidoc | 112 +- ...ia-wmi-standard-registry-provider.asciidoc | 262 +- ...-scripts-in-the-startup-directory.asciidoc | 196 +- .../port-forwarding-rule-addition.asciidoc | 167 +- ...-via-azure-registered-application.asciidoc | 160 +- ...-dga-command-and-control-behavior.asciidoc | 89 +- .../possible-okta-dos-attack.asciidoc | 85 +- ...en-count-and-large-response-sizes.asciidoc | 73 + ...ning-via-wildcard-record-creation.asciidoc | 94 + ...tial-admin-group-account-addition.asciidoc | 91 +- ...n-interface-bypass-via-powershell.asciidoc | 167 ++ ...-application-shimming-via-sdbinst.asciidoc | 124 +- ...l-buffer-overflow-attack-detected.asciidoc | 86 + ...chroot-container-escape-via-mount.asciidoc | 116 + ...ial-code-execution-via-postgresql.asciidoc | 106 + ...and-control-via-internet-explorer.asciidoc | 140 +- ...a-modified-notify-on-release-file.asciidoc | 63 + ...e-via-modified-release-agent-file.asciidoc | 64 + ...okies-theft-via-browser-debugging.asciidoc | 95 +- ...tial-credential-access-via-dcsync.asciidoc | 216 +- ...cess-via-duplicatehandle-in-lsass.asciidoc | 92 +- ...tial-access-via-lsass-memory-dump.asciidoc | 121 +- ...ess-via-memory-dump-file-creation.asciidoc | 106 + ...cess-via-renamed-com-services-dll.asciidoc | 171 +- ...ess-via-trusted-developer-utility.asciidoc | 221 +- ...tial-access-via-windows-utilities.asciidoc | 247 +- ...otential-cross-site-scripting-xss.asciidoc | 62 + ...-curl-cve-2023-38545-exploitation.asciidoc | 120 + ...ty-to-an-unusual-destination-port.asciidoc | 91 + ...activity-to-an-unusual-ip-address.asciidoc | 91 + ...n-activity-to-an-unusual-iso-code.asciidoc | 91 + ...ion-activity-to-an-unusual-region.asciidoc | 91 + ...ial-defense-evasion-via-cmstp-exe.asciidoc | 67 + ...tential-defense-evasion-via-proot.asciidoc | 101 + .../potential-dga-activity.asciidoc | 122 + .../potential-disabling-of-apparmor.asciidoc | 109 + .../potential-disabling-of-selinux.asciidoc | 128 +- ...ft-antimalware-service-executable.asciidoc | 107 +- ...ng-via-trusted-microsoft-programs.asciidoc | 96 + ...ential-dns-tunneling-via-nslookup.asciidoc | 132 +- ...-via-active-directory-web-service.asciidoc | 74 + ...ential-evasion-via-filter-manager.asciidoc | 171 +- ...on-via-windows-filtering-platform.asciidoc | 134 + ...otential-execution-via-xzbackdoor.asciidoc | 98 + ...quoted-service-path-vulnerability.asciidoc | 67 + ...al-linux-ssh-brute-force-detected.asciidoc | 159 ++ ...e-download-via-a-headless-browser.asciidoc | 108 + ...tential-file-transfer-via-certreq.asciidoc | 152 ++ ...idden-local-user-account-creation.asciidoc | 87 +- ...-hidden-process-via-mount-hidepid.asciidoc | 105 + ...al-linux-ssh-brute-force-detected.asciidoc | 155 ++ ...invoke-mimikatz-powershell-script.asciidoc | 152 +- ...al-java-jndi-exploitation-attempt.asciidoc | 95 +- ...ntial-kerberos-attack-via-bifrost.asciidoc | 107 +- ...teral-tool-transfer-via-smb-share.asciidoc | 149 +- ...ux-backdoor-user-account-creation.asciidoc | 168 ++ ...ntial-dumping-via-proc-filesystem.asciidoc | 112 + ...x-credential-dumping-via-unshadow.asciidoc | 105 + ...otential-linux-hack-tool-launched.asciidoc | 114 + ...ocal-account-brute-force-detected.asciidoc | 106 + ...ransomware-note-creation-detected.asciidoc | 111 + ...otential-linux-ssh-x11-forwarding.asciidoc | 141 ++ ...-tunneling-and-or-port-forwarding.asciidoc | 196 ++ ...tential-local-ntlm-relay-via-http.asciidoc | 87 +- ...-lsa-authentication-package-abuse.asciidoc | 68 +- ...e-creation-via-psscapturesnapshot.asciidoc | 73 +- ...emory-dump-via-psscapturesnapshot.asciidoc | 76 +- ...al-macos-ssh-brute-force-detected.asciidoc | 83 +- ...l-masquerading-as-browser-process.asciidoc | 198 ++ ...erading-as-business-app-installer.asciidoc | 217 ++ ...asquerading-as-communication-apps.asciidoc | 134 + ...tial-masquerading-as-system32-dll.asciidoc | 157 ++ ...squerading-as-system32-executable.asciidoc | 120 + ...potential-masquerading-as-vlc-dll.asciidoc | 82 + ...potential-memory-seeking-activity.asciidoc | 69 + ...tential-meterpreter-reverse-shell.asciidoc | 131 + ...-microsoft-office-sandbox-evasion.asciidoc | 86 +- ...ication-of-accessibility-binaries.asciidoc | 265 +- .../potential-network-scan-detected.asciidoc | 74 + ...l-network-scan-executed-from-host.asciidoc | 103 + ...potential-network-share-discovery.asciidoc | 76 + .../potential-network-sweep-detected.asciidoc | 75 + ...andard-port-http-https-connection.asciidoc | 159 ++ ...-non-standard-port-ssh-connection.asciidoc | 48 +- ...fa-bombing-via-push-notifications.asciidoc | 129 + ...openssh-backdoor-logging-activity.asciidoc | 169 +- ...rdp-connection-by-unusual-process.asciidoc | 77 + ...tential-pass-the-hash-pth-attempt.asciidoc | 69 + ...ng-of-microsoft-365-user-accounts.asciidoc | 104 +- ...rsistence-through-init-d-detected.asciidoc | 189 ++ ...rough-motd-file-creation-detected.asciidoc | 181 ++ ...ence-through-run-control-detected.asciidoc | 184 ++ ...persistence-through-systemd-udevd.asciidoc | 104 + ...via-atom-init-script-modification.asciidoc | 83 +- ...ential-persistence-via-login-hook.asciidoc | 110 +- ...al-persistence-via-periodic-tasks.asciidoc | 87 +- ...ce-via-time-provider-modification.asciidoc | 147 +- ...rint-processor-registration-abuse.asciidoc | 94 +- ...ershell-hacktool-script-by-author.asciidoc | 115 + ...hacktool-script-by-function-names.asciidoc | 353 +++ ...rshell-pass-the-hash-relay-script.asciidoc | 123 + ...-bypass-via-localhost-secure-copy.asciidoc | 104 +- ...rol-bypass-via-tccdb-modification.asciidoc | 101 +- ...on-through-writable-docker-socket.asciidoc | 104 + ...on-via-container-misconfiguration.asciidoc | 115 + ...ege-escalation-via-cve-2022-38028.asciidoc | 76 + ...lege-escalation-via-cve-2023-4911.asciidoc | 114 + ...lege-escalation-via-enlightenment.asciidoc | 104 + ...alation-via-installerfiletakeover.asciidoc | 206 +- ...alation-via-linux-dac-permissions.asciidoc | 99 + ...rivilege-escalation-via-overlayfs.asciidoc | 104 + ...l-privilege-escalation-via-pkexec.asciidoc | 91 +- ...-escalation-via-python-cap-setuid.asciidoc | 109 + ...-via-recently-compiled-executable.asciidoc | 105 + ...ion-via-sudoers-file-modification.asciidoc | 49 +- ...tion-via-uid-int-max-bug-detected.asciidoc | 103 + ...ation-via-samaccountname-spoofing.asciidoc | 80 +- ...injection-from-malicious-document.asciidoc | 93 + ...-process-injection-via-powershell.asciidoc | 201 +- ...tocol-tunneling-via-chisel-client.asciidoc | 184 ++ ...tocol-tunneling-via-chisel-server.asciidoc | 184 ++ ...-protocol-tunneling-via-earthworm.asciidoc | 181 +- ...-pspy-process-monitoring-detected.asciidoc | 103 + ...h-count-of-readme-files-by-system.asciidoc | 125 + ...somware-note-file-dropped-via-smb.asciidoc | 136 + ...ote-code-execution-via-web-server.asciidoc | 201 ++ ...te-credential-access-via-registry.asciidoc | 174 +- ...remote-desktop-shadowing-activity.asciidoc | 108 +- ...remote-desktop-tunneling-detected.asciidoc | 174 +- ...remote-file-execution-via-msiexec.asciidoc | 107 + ...verse-shell-activity-via-terminal.asciidoc | 142 +- ...erse-shell-via-background-process.asciidoc | 112 + ...potential-reverse-shell-via-child.asciidoc | 119 + .../potential-reverse-shell-via-java.asciidoc | 127 + ...verse-shell-via-suspicious-binary.asciidoc | 127 + ...hell-via-suspicious-child-process.asciidoc | 135 + .../potential-reverse-shell-via-udp.asciidoc | 139 + .../potential-reverse-shell.asciidoc | 117 + ...file-deletion-via-sdelete-utility.asciidoc | 132 +- ...ow-credentials-added-to-ad-object.asciidoc | 133 +- ...e-read-via-command-line-utilities.asciidoc | 113 +- .../potential-sharprdp-behavior.asciidoc | 147 +- ...l-via-wildcard-injection-detected.asciidoc | 114 + ...ential-ssh-it-ssh-worm-downloaded.asciidoc | 120 + ...x-ftp-brute-force-attack-detected.asciidoc | 125 + ...x-rdp-brute-force-attack-detected.asciidoc | 123 + ...successful-ssh-brute-force-attack.asciidoc | 164 ++ ...potential-sudo-hijacking-detected.asciidoc | 114 + ...ege-escalation-via-cve-2019-14287.asciidoc | 105 + ...anipulation-via-process-injection.asciidoc | 114 + ...cious-clipboard-activity-detected.asciidoc | 67 + ...icious-debugfs-root-device-access.asciidoc | 106 + .../potential-suspicious-file-edit.asciidoc | 112 + ...l-syn-based-network-scan-detected.asciidoc | 74 + ...s-via-wildcard-injection-detected.asciidoc | 117 + ...-upgrade-of-non-interactive-shell.asciidoc | 106 + ...l-veeam-credential-access-command.asciidoc | 88 + ...e-infection-across-multiple-hosts.asciidoc | 66 + ...indows-error-manager-masquerading.asciidoc | 154 +- ...ows-session-hijacking-via-ccmexec.asciidoc | 63 + ...fa-bombing-via-push-notifications.asciidoc | 123 + ...rocess-started-via-tmux-or-screen.asciidoc | 65 + ...owershell-invoke-ninjacopy-script.asciidoc | 150 ++ .../powershell-kerberos-ticket-dump.asciidoc | 174 ++ ...owershell-kerberos-ticket-request.asciidoc | 161 +- .../powershell-keylogging-script.asciidoc | 197 +- ...ershell-mailbox-collection-script.asciidoc | 174 ++ .../powershell-minidump-script.asciidoc | 158 +- .../powershell-psreflect-script.asciidoc | 210 +- ...ell-script-block-logging-disabled.asciidoc | 137 +- ...-archive-compression-capabilities.asciidoc | 114 + ...cript-with-discovery-capabilities.asciidoc | 250 ++ ...ncryption-decryption-capabilities.asciidoc | 129 + ...cript-with-log-clear-capabilities.asciidoc | 113 + ...ord-policy-discovery-capabilities.asciidoc | 134 + ...-execution-capabilities-via-winrm.asciidoc | 117 + ...-token-impersonation-capabilities.asciidoc | 175 +- ...am-credential-access-capabilities.asciidoc | 110 + ...webcam-video-capture-capabilities.asciidoc | 111 + ...wershell-share-enumeration-script.asciidoc | 150 +- ...ery-related-windows-api-functions.asciidoc | 227 +- ...us-payload-encoded-and-compressed.asciidoc | 202 +- ...t-with-audio-capture-capabilities.asciidoc | 181 +- ...-clipboard-retrieval-capabilities.asciidoc | 171 ++ ...ript-with-screenshot-capabilities.asciidoc | 165 +- ...cap-chown-cap-fowner-capabilities.asciidoc | 111 + ...ia-cap-setuid-setgid-capabilities.asciidoc | 111 + ...escalation-via-gdb-cap-sys-ptrace.asciidoc | 110 + ...tion-via-named-pipe-impersonation.asciidoc | 156 +- ...ia-rogue-named-pipe-impersonation.asciidoc | 70 +- ...ia-root-crontab-file-modification.asciidoc | 87 +- ...n-via-windir-environment-variable.asciidoc | 80 +- .../privileged-account-brute-force.asciidoc | 137 +- ...n-via-parent-process-pid-spoofing.asciidoc | 117 +- ...s-activity-via-compiled-html-file.asciidoc | 211 +- .../process-capability-enumeration.asciidoc | 101 + ...s-created-with-a-duplicated-token.asciidoc | 95 + ...ss-created-with-an-elevated-token.asciidoc | 129 +- ...cess-creation-via-secondary-logon.asciidoc | 87 +- ...ss-discovery-using-built-in-tools.asciidoc | 72 + ...scovery-via-built-in-applications.asciidoc | 74 + ...ecution-from-an-unusual-directory.asciidoc | 321 ++- ...ion-by-the-microsoft-build-engine.asciidoc | 76 +- ...njection-detected-elastic-endgame.asciidoc | 79 +- ...jection-prevented-elastic-endgame.asciidoc | 79 +- ...-started-from-process-id-pid-file.asciidoc | 106 +- ...-termination-followed-by-deletion.asciidoc | 203 +- .../processes-with-trailing-spaces.asciidoc | 71 + ...gram-files-directory-masquerading.asciidoc | 107 +- ...pt-for-credentials-with-osascript.asciidoc | 109 +- .../proxychains-activity.asciidoc | 146 ++ .../psexec-network-connection.asciidoc | 193 +- ...script-execution-via-command-line.asciidoc | 85 + ...-by-unsigned-or-untrusted-process.asciidoc | 110 + ...ery-registry-using-built-in-tools.asciidoc | 77 + ...nsomware-detected-elastic-endgame.asciidoc | 58 +- ...somware-prevented-elastic-endgame.asciidoc | 58 +- .../rule-details/rare-aws-error-code.asciidoc | 130 +- ...re-smb-connection-to-the-internet.asciidoc | 100 + .../rule-details/rare-user-logon.asciidoc | 91 +- .../rdp-enabled-via-registry.asciidoc | 164 +- ...esktop-protocol-from-the-internet.asciidoc | 166 +- ...istry-persistence-via-appcert-dll.asciidoc | 105 +- ...istry-persistence-via-appinit-dll.asciidoc | 187 +- ...mputer-account-dnshostname-update.asciidoc | 92 +- ...bled-in-windows-firewall-by-netsh.asciidoc | 140 +- .../remote-execution-via-file-shares.asciidoc | 154 +- ...emote-file-copy-to-a-hidden-share.asciidoc | 96 +- .../remote-file-copy-via-teamviewer.asciidoc | 186 +- ...oad-via-desktopimgdownldr-utility.asciidoc | 192 +- ...remote-file-download-via-mpcmdrun.asciidoc | 182 +- ...mote-file-download-via-powershell.asciidoc | 192 +- ...e-download-via-script-interpreter.asciidoc | 166 +- ...e-scheduled-task-creation-via-rpc.asciidoc | 118 + .../remote-scheduled-task-creation.asciidoc | 164 +- ...n-enabled-via-systemsetup-command.asciidoc | 108 +- .../remote-system-discovery-commands.asciidoc | 167 +- .../remote-windows-service-installed.asciidoc | 99 +- ...mote-xsl-script-execution-via-com.asciidoc | 84 + ...remotely-started-services-via-rpc.asciidoc | 306 +-- ...enamed-autoit-scripts-interpreter.asciidoc | 162 +- ...-executed-with-short-program-name.asciidoc | 132 + ...connection-via-gdb-cap-sys-ptrace.asciidoc | 132 + ...file-downloaded-from-the-internet.asciidoc | 131 +- ...r-query-log-configuration-deleted.asciidoc | 123 + ...-procedure-call-from-the-internet.asciidoc | 154 +- ...te-procedure-call-to-the-internet.asciidoc | 154 +- ...-task-created-by-a-windows-script.asciidoc | 130 +- ...d-task-execution-at-scale-via-gpo.asciidoc | 183 +- ...cheduled-tasks-at-command-enabled.asciidoc | 126 +- ...ver-spawning-suspicious-processes.asciidoc | 87 + ...le-modified-by-unexpected-process.asciidoc | 129 +- ...or-saved-credentials-via-vaultcmd.asciidoc | 93 +- ...ity-software-discovery-using-wmic.asciidoc | 157 +- ...urity-software-discovery-via-grep.asciidoc | 203 +- ...e-enabled-by-a-suspicious-process.asciidoc | 94 +- .../rule-details/segfault-detected.asciidoc | 91 + ...es-compression-inside-a-container.asciidoc | 107 + .../sensitive-files-compression.asciidoc | 158 +- ...s-searched-for-inside-a-container.asciidoc | 77 + ...ationprivilege-assigned-to-a-user.asciidoc | 147 +- .../service-command-lateral-movement.asciidoc | 100 +- ...ol-spawned-via-script-interpreter.asciidoc | 213 +- ...via-local-kerberos-authentication.asciidoc | 75 +- ...isabled-via-registry-modification.asciidoc | 79 + ...vice-path-modification-via-sc-exe.asciidoc | 87 + .../service-path-modification.asciidoc | 97 + ...tcap-setuid-setgid-capability-set.asciidoc | 181 ++ .../setuid-setgid-bit-set-via-chmod.asciidoc | 131 +- ...ged-by-previously-unknown-process.asciidoc | 185 ++ .../sharepoint-malware-file-upload.asciidoc | 60 +- .../shell-configuration-modification.asciidoc | 121 + ...ell-execution-via-apple-scripting.asciidoc | 101 +- ...ten-or-modified-on-startup-folder.asciidoc | 78 + ...oxy-execution-via-ms-work-folders.asciidoc | 131 +- .../sip-provider-modification.asciidoc | 86 +- ...-sharing-activity-to-the-internet.asciidoc | 156 +- .../rule-details/smtp-on-port-26-tcp.asciidoc | 86 +- ...reupdate-preferences-modification.asciidoc | 99 +- ...s-disabling-services-via-registry.asciidoc | 150 +- .../spike-in-aws-error-messages.asciidoc | 133 +- ...to-an-external-device-via-airdrop.asciidoc | 90 + ...-bytes-sent-to-an-external-device.asciidoc | 90 + .../spike-in-failed-logon-events.asciidoc | 88 +- .../spike-in-firewall-denies.asciidoc | 39 +- .../spike-in-logon-events.asciidoc | 43 +- ...e-in-network-traffic-to-a-country.asciidoc | 80 +- .../spike-in-network-traffic.asciidoc | 42 +- ...connections-made-from-a-source-ip.asciidoc | 92 + ...nections-made-to-a-destination-ip.asciidoc | 92 + ...er-of-processes-in-an-rdp-session.asciidoc | 92 + .../spike-in-remote-file-transfers.asciidoc | 91 + ...ful-logon-events-from-a-source-ip.asciidoc | 107 + ...authorized-keys-file-modification.asciidoc | 126 +- ...-file-modified-inside-a-container.asciidoc | 85 + ...lished-inside-a-running-container.asciidoc | 83 + ...-launched-from-inside-a-container.asciidoc | 77 + ...-persistence-via-unsigned-process.asciidoc | 196 +- ...ript-added-to-group-policy-object.asciidoc | 169 +- ...-or-run-key-registry-modification.asciidoc | 430 ++-- ...rsistence-by-a-suspicious-process.asciidoc | 213 +- ...ing-activity-with-high-confidence.asciidoc | 96 + ...el-detected-c2-beaconing-activity.asciidoc | 97 + ...n-to-okta-account-after-mfa-reset.asciidoc | 125 + ...r-application-script-modification.asciidoc | 118 +- ...sudo-command-enumeration-detected.asciidoc | 99 + ...eap-based-buffer-overflow-attempt.asciidoc | 52 +- .../sudoers-file-modification.asciidoc | 82 +- .../suid-sguid-enumeration-detected.asciidoc | 119 + ...urst-command-and-control-activity.asciidoc | 210 +- ...picious-access-to-ldap-attributes.asciidoc | 81 + ...us-activity-reported-by-okta-user.asciidoc | 85 +- ...us-antimalware-scan-interface-dll.asciidoc | 142 ++ ...ous-apt-package-manager-execution.asciidoc | 129 + ...ackage-manager-network-connection.asciidoc | 118 + ...ous-automator-workflows-execution.asciidoc | 84 +- .../suspicious-browser-child-process.asciidoc | 140 +- ...icious-calendar-file-modification.asciidoc | 108 +- .../suspicious-certutil-commands.asciidoc | 183 +- ...obe-acrobat-reader-update-service.asciidoc | 116 +- .../suspicious-cmd-execution-via-wmi.asciidoc | 99 +- ...s-communication-app-child-process.asciidoc | 299 +++ ...racted-or-decompressed-via-funzip.asciidoc | 120 + ...-crontab-creation-or-modification.asciidoc | 93 +- ...ta-encryption-via-openssl-utility.asciidoc | 105 + ...rsistence-or-privilege-escalation.asciidoc | 210 +- ...s-dynamic-linker-discovery-via-od.asciidoc | 108 + .../suspicious-emond-child-process.asciidoc | 112 +- ...-endpoint-security-parent-process.asciidoc | 140 +- ...s-execution-from-a-mounted-device.asciidoc | 97 +- ...picious-execution-from-inet-cache.asciidoc | 82 + ...tion-via-microsoft-office-add-ins.asciidoc | 123 + .../suspicious-execution-via-msiexec.asciidoc | 98 + ...ious-execution-via-scheduled-task.asciidoc | 191 +- ...n-via-windows-subsystem-for-linux.asciidoc | 97 + ...suspicious-explorer-child-process.asciidoc | 158 +- ...us-file-changes-activity-detected.asciidoc | 108 + ...e-creation-in-etc-for-persistence.asciidoc | 233 +- ...picious-file-creation-via-kworker.asciidoc | 192 ++ ...file-downloaded-from-google-drive.asciidoc | 75 + .../suspicious-file-renamed-via-smb.asciidoc | 138 + ...s-hidden-child-process-of-launchd.asciidoc | 94 +- .../suspicious-html-file-creation.asciidoc | 107 +- ...-load-taskschd-dll-from-ms-office.asciidoc | 182 ++ ...icious-imagepath-service-creation.asciidoc | 78 +- ...process-communication-via-outlook.asciidoc | 91 + ...l-spawned-from-inside-a-container.asciidoc | 72 + .../suspicious-java-child-process.asciidoc | 150 +- ...-jetbrains-teamcity-child-process.asciidoc | 98 + .../suspicious-kworker-uid-elevation.asciidoc | 113 + ...ious-lsass-access-via-malseclogon.asciidoc | 76 +- .../suspicious-lsass-process-access.asciidoc | 103 + ...ous-macos-ms-office-child-process.asciidoc | 192 +- ...ious-managed-code-hosting-process.asciidoc | 98 +- .../suspicious-memory-grep-activity.asciidoc | 65 + ...ft-365-mail-access-by-clientappid.asciidoc | 71 + ...soft-diagnostics-wizard-execution.asciidoc | 125 +- ...ous-mining-process-creation-event.asciidoc | 103 + .../suspicious-modprobe-file-event.asciidoc | 92 + ...suspicious-module-loaded-by-lsass.asciidoc | 147 ++ ...uspicious-ms-office-child-process.asciidoc | 361 +-- ...spicious-ms-outlook-child-process.asciidoc | 268 +- .../suspicious-net-code-compilation.asciidoc | 97 + ...ous-net-reflection-via-powershell.asciidoc | 200 ++ ...-by-previously-unknown-executable.asciidoc | 241 ++ ...etwork-connection-via-sudo-binary.asciidoc | 112 + ...us-network-connection-via-systemd.asciidoc | 122 + ...-tool-launched-inside-a-container.asciidoc | 82 + ...spicious-passwd-file-event-action.asciidoc | 130 + ...spicious-pdf-reader-child-process.asciidoc | 240 +- ...able-encoded-in-powershell-script.asciidoc | 186 +- ...cious-powershell-engine-imageload.asciidoc | 296 +-- .../suspicious-powershell-script.asciidoc | 64 +- ...cious-print-spooler-file-deletion.asciidoc | 75 +- ...print-spooler-point-and-print-dll.asciidoc | 77 +- ...us-print-spooler-spl-file-created.asciidoc | 196 +- ...-service-executable-file-creation.asciidoc | 100 +- .../suspicious-proc-maps-discovery.asciidoc | 102 + ...oc-pseudo-file-system-enumeration.asciidoc | 94 + ...ess-access-via-direct-system-call.asciidoc | 204 +- ...icious-process-creation-calltrace.asciidoc | 158 +- ...ion-via-renamed-psexec-executable.asciidoc | 155 +- ...rocess-spawned-from-motd-detected.asciidoc | 201 ++ ...picious-rdp-activex-client-loaded.asciidoc | 134 +- ...stry-access-via-sebackupprivilege.asciidoc | 171 +- ...suspicious-renaming-of-esxi-files.asciidoc | 104 + ...-renaming-of-esxi-index-html-file.asciidoc | 103 + ...creenconnect-client-child-process.asciidoc | 86 + ...uspicious-script-object-execution.asciidoc | 159 +- ...rvice-was-installed-in-the-system.asciidoc | 117 +- ...spicious-solarwinds-child-process.asciidoc | 127 +- ...startup-shell-folder-modification.asciidoc | 183 +- .../suspicious-symbolic-link-created.asciidoc | 129 + .../suspicious-sysctl-file-event.asciidoc | 92 + ...-by-previously-unknown-executable.asciidoc | 110 + ...cious-termination-of-esxi-process.asciidoc | 101 + ...leshooting-pack-cabinet-execution.asciidoc | 79 + ...-utility-launched-via-proxychains.asciidoc | 187 ++ ...web-browser-sensitive-file-access.asciidoc | 115 + ...suspicious-werfault-child-process.asciidoc | 141 +- .../suspicious-which-enumeration.asciidoc | 68 + ...process-cluster-spawned-by-a-host.asciidoc | 124 + ...uster-spawned-by-a-parent-process.asciidoc | 126 + ...process-cluster-spawned-by-a-user.asciidoc | 126 + ...us-wmi-event-subscription-created.asciidoc | 68 + ...ous-wmi-image-load-from-ms-office.asciidoc | 111 +- ...picious-wmic-xsl-script-execution.asciidoc | 109 +- .../suspicious-zoom-child-process.asciidoc | 175 +- .../svchost-spawning-cmd.asciidoc | 224 +- ...bolic-link-to-shadow-copy-created.asciidoc | 164 +- ...-or-moved-to-suspicious-directory.asciidoc | 130 + .../system-hosts-file-access.asciidoc | 67 + ...scovery-via-windows-command-shell.asciidoc | 105 +- .../system-log-file-deletion.asciidoc | 157 +- ...tem-network-connections-discovery.asciidoc | 67 + ...system-owner-user-discovery-linux.asciidoc | 70 + ...hrough-built-in-windows-utilities.asciidoc | 72 + .../system-shells-via-services.asciidoc | 214 +- .../system-time-discovery.asciidoc | 73 + ...systemkey-access-via-command-line.asciidoc | 96 +- .../tainted-kernel-module-load.asciidoc | 105 + ...ed-out-of-tree-kernel-module-load.asciidoc | 105 + ...ing-of-shell-command-line-history.asciidoc | 94 + ...-via-mounted-apfs-snapshot-access.asciidoc | 85 +- ...mporarily-scheduled-task-creation.asciidoc | 83 +- ...es-deleted-via-unexpected-process.asciidoc | 169 +- ...threat-intel-hash-indicator-match.asciidoc | 137 + ...-intel-ip-address-indicator-match.asciidoc | 139 + .../threat-intel-url-indicator-match.asciidoc | 142 ++ ...-windows-registry-indicator-match.asciidoc | 132 + .../timestomping-using-touch-command.asciidoc | 96 +- .../trap-signals-execution.asciidoc | 71 + ...nternet-explorer-add-on-installer.asciidoc | 137 +- ...eged-ifileoperation-com-interface.asciidoc | 115 +- ...ia-windows-directory-masquerading.asciidoc | 188 +- ...ademanager-elevated-com-interface.asciidoc | 133 +- ...diskcleanup-scheduled-task-hijack.asciidoc | 133 +- ...icmluautil-elevated-com-interface.asciidoc | 120 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 198 +- ...rom-previously-unknown-executable.asciidoc | 121 + ...zed-access-to-an-okta-application.asciidoc | 66 +- ...ommon-registry-persistence-change.asciidoc | 310 +-- ...ocess-of-macos-screensaver-engine.asciidoc | 100 +- .../unix-socket-connection.asciidoc | 71 + ...-of-binary-with-rwx-memory-region.asciidoc | 89 + ...igned-bits-service-client-process.asciidoc | 73 + ...d-dll-loaded-by-a-trusted-process.asciidoc | 112 + .../unsigned-dll-loaded-by-svchost.asciidoc | 179 ++ ...-loading-from-a-suspicious-folder.asciidoc | 167 ++ .../untrusted-driver-loaded.asciidoc | 144 ++ .../unusual-aws-command-for-a-user.asciidoc | 128 +- ...ess-from-a-system-virtual-process.asciidoc | 93 +- .../unusual-child-process-of-dns-exe.asciidoc | 136 + ...usual-child-processes-of-rundll32.asciidoc | 163 +- .../unusual-city-for-an-aws-command.asciidoc | 128 +- ...nusual-country-for-an-aws-command.asciidoc | 134 +- ...nusual-discovery-activity-by-user.asciidoc | 61 + ...with-unusual-process-command-line.asciidoc | 60 + ...t-with-unusual-process-executable.asciidoc | 55 + .../unusual-dns-activity.asciidoc | 55 +- ...tion-by-a-system-critical-process.asciidoc | 178 +- ...via-microsoft-common-console-file.asciidoc | 124 + ...le-creation-alternate-data-stream.asciidoc | 249 +- ...sual-file-modification-by-dns-exe.asciidoc | 100 + ...idence-misconduct-blocks-detected.asciidoc | 68 + .../unusual-hour-for-a-user-to-logon.asciidoc | 77 +- .../unusual-linux-network-activity.asciidoc | 67 +- ...x-network-configuration-discovery.asciidoc | 49 + ...inux-network-connection-discovery.asciidoc | 45 +- ...usual-linux-network-port-activity.asciidoc | 54 +- ...cess-calling-the-metadata-service.asciidoc | 56 +- ...-linux-process-discovery-activity.asciidoc | 45 +- ...em-information-discovery-activity.asciidoc | 45 +- ...user-calling-the-metadata-service.asciidoc | 56 +- ...ual-linux-user-discovery-activity.asciidoc | 49 + .../unusual-linux-username.asciidoc | 78 +- .../unusual-login-activity.asciidoc | 55 +- ...vity-from-a-windows-system-binary.asciidoc | 247 +- ...al-network-connection-via-dllhost.asciidoc | 85 +- ...l-network-connection-via-rundll32.asciidoc | 233 +- ...l-network-destination-domain-name.asciidoc | 45 +- ...unusual-parent-child-relationship.asciidoc | 388 +-- ...nusual-parent-process-for-cmd-exe.asciidoc | 104 + ...persistence-via-services-registry.asciidoc | 126 +- ...usual-print-spooler-child-process.asciidoc | 129 +- ...al-process-execution-on-wbem-path.asciidoc | 77 + ...cution-path-alternate-data-stream.asciidoc | 92 +- .../unusual-process-extension.asciidoc | 92 + .../unusual-process-for-a-linux-host.asciidoc | 118 +- ...nusual-process-for-a-windows-host.asciidoc | 176 +- ...rocess-for-mssql-service-accounts.asciidoc | 111 + ...nusual-process-network-connection.asciidoc | 178 +- ...unusual-process-spawned-by-a-host.asciidoc | 126 + ...ocess-spawned-by-a-parent-process.asciidoc | 126 + ...unusual-process-spawned-by-a-user.asciidoc | 126 + ...riting-data-to-an-external-device.asciidoc | 90 + .../unusual-remote-file-directory.asciidoc | 91 + .../unusual-remote-file-extension.asciidoc | 91 + .../unusual-remote-file-size.asciidoc | 91 + ...t-child-process-childless-service.asciidoc | 166 +- ...ource-ip-for-a-user-to-logon-from.asciidoc | 43 +- .../unusual-sudo-activity.asciidoc | 47 +- ...al-time-or-day-for-an-rdp-session.asciidoc | 92 + ...user-privilege-enumeration-via-id.asciidoc | 99 + .../rule-details/unusual-web-request.asciidoc | 55 +- .../unusual-web-user-agent.asciidoc | 55 +- .../unusual-windows-network-activity.asciidoc | 72 +- .../unusual-windows-path-activity.asciidoc | 77 +- ...cess-calling-the-metadata-service.asciidoc | 56 +- .../unusual-windows-remote-user.asciidoc | 72 +- .../unusual-windows-service.asciidoc | 61 +- ...user-calling-the-metadata-service.asciidoc | 56 +- ...user-privilege-elevation-activity.asciidoc | 57 +- .../unusual-windows-username.asciidoc | 86 +- .../user-account-creation.asciidoc | 175 +- ...-account-exposed-to-kerberoasting.asciidoc | 153 +- ...ed-as-owner-for-azure-application.asciidoc | 71 +- ...owner-for-azure-service-principal.asciidoc | 73 +- .../user-added-to-privileged-group.asciidoc | 133 +- ...library-loaded-by-unusual-process.asciidoc | 81 + ...l-machine-fingerprinting-via-grep.asciidoc | 80 +- .../virtual-machine-fingerprinting.asciidoc | 129 +- ...rivate-network-connection-attempt.asciidoc | 92 +- ...twork-computing-from-the-internet.asciidoc | 158 +- ...network-computing-to-the-internet.asciidoc | 156 +- ...y-deleted-or-resized-via-vssadmin.asciidoc | 203 +- ...adow-copy-deletion-via-powershell.asciidoc | 170 +- ...ume-shadow-copy-deletion-via-wmic.asciidoc | 188 +- ...us-activity-post-request-declined.asciidoc | 62 +- ...icious-activity-sqlmap-user-agent.asciidoc | 59 +- ...ious-activity-unauthorized-method.asciidoc | 62 +- ...ess-child-of-common-web-processes.asciidoc | 188 +- .../webproxy-settings-modification.asciidoc | 102 +- .../webserver-access-logs-deleted.asciidoc | 93 +- ...fault-reflectdebugger-persistence.asciidoc | 75 + .../whoami-process-activity.asciidoc | 201 +- ...indows-account-or-group-discovery.asciidoc | 110 + ...erability-cve-2020-0601-curveball.asciidoc | 65 +- ...isabled-via-registry-modification.asciidoc | 219 +- ...r-exclusions-added-via-powershell.asciidoc | 173 +- .../windows-event-logs-cleared.asciidoc | 107 +- ...-firewall-disabled-via-powershell.asciidoc | 146 +- ...taller-with-suspicious-properties.asciidoc | 79 + .../windows-network-enumeration.asciidoc | 202 +- ...gistry-file-creation-in-smb-share.asciidoc | 134 +- ...ndows-script-executing-powershell.asciidoc | 198 +- ...rpreter-executing-process-via-wmi.asciidoc | 172 +- ...e-installed-via-an-unusual-client.asciidoc | 79 +- ...-for-linux-distribution-installed.asciidoc | 126 + ...or-linux-enabled-via-dism-utility.asciidoc | 120 + ...dows-system-information-discovery.asciidoc | 80 + ...tem-network-connections-discovery.asciidoc | 77 + .../windows-user-account-creation.asciidoc | 69 + ...ntial-dumping-using-netsh-command.asciidoc | 102 +- .../wmi-incoming-lateral-movement.asciidoc | 143 +- .../wmi-wbemtest-utility-execution.asciidoc | 65 + .../rule-details/wmic-remote-command.asciidoc | 76 + .../wpad-service-exploit.asciidoc | 74 + ...access-on-active-directory-object.asciidoc | 92 + .../zoom-meeting-with-no-passcode.asciidoc | 66 +- docs/index.asciidoc | 2 + 1170 files changed, 89360 insertions(+), 48602 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-access-to-keychain-credentials-directories.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-adversary-behavior-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-apple-scripting-execution-with-administrator-privileges.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-authorization-plugin-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-component-object-model-hijacking.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-connection-to-commonly-abused-web-services.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-container-workload-protection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-dumping-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-dumping-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-manipulation-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-manipulation-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ec2-ami-shared-with-another-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-endpoint-security.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-enumeration-of-users-or-groups-via-built-in-commands.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-exploit-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-exploit-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-external-alerts.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-finder-sync-plugin-registered-and-enabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-keychain-password-retrieval-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-macos-installer-package-spawns-network-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-malware-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-malware-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-permission-theft-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-permission-theft-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-persistence-via-docker-shortcut-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-persistence-via-folder-action-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-admin-group-account-addition.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-file-download-via-a-headless-browser.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-persistence-via-login-hook.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-powershell-hacktool-script-by-author.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-ransomware-note-file-dropped-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-widespread-malware-infection-across-multiple-hosts.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-process-injection-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-process-injection-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-prompt-for-credentials-with-osascript.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ransomware-detected-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ransomware-prevented-elastic-endgame.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-route53-resolver-query-log-configuration-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-shell-execution-via-apple-scripting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-browser-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-file-renamed-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-macos-ms-office-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-web-browser-sensitive-file-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-systemkey-access-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-unusual-execution-via-microsoft-common-console-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-webproxy-settings-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rules-8-14-1-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rules-8-14-1-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/accessing-outlook-data-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/account-or-group-discovery-via-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/archive-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/at-exe-command-lateral-movement.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-clear-kernel-ring-buffer.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-install-kali-linux-via-wsl.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempted-private-key-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-bedrock-detected-multiple-attempts-to-use-denied-models-by-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-bedrock-guardrails-detected-multiple-policy-violations-within-a-single-blocked-request.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-bedrock-guardrails-detected-multiple-violations-by-a-single-user-over-a-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-credentials-searched-for-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-iam-login-profile-added-to-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-s3-bucket-enumeration-or-brute-force.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/bitsadmin-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/browser-extension-install.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/cap-sys-admin-assigned-to-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/compression-dll-loaded-by-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/container-management-utility-run-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/container-workload-protection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/creation-of-a-dns-named-record.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/creation-of-kernel-module.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/creation-of-settingcontent-ms-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/cron-job-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/delayed-execution-via-ping.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/discovery-of-domain-groups.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/discovery-of-internet-capabilities-via-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/downloaded-shortcut-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/downloaded-url-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ec2-ami-shared-with-another-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumerating-domain-trusts-via-dsquery-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumerating-domain-trusts-via-nltest-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules-via-proc.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-find.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-grep.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-timestomping-using-touch-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/exchange-mailbox-export-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/executable-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/executable-masquerading-as-kernel-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-from-a-removable-media-with-network-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-of-an-unsigned-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-electron-child-process-node-js-module.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-microsoft-dotnet-clickonce-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-ms-visualstudio-pre-post-build-events.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/expired-or-revoked-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/external-user-added-to-google-workspace-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-and-directory-permissions-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-compressed-or-archived-into-common-format.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-creation-time-changed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-made-executable-via-chmod-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-or-directory-deletion-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-system-debugger-launched-inside-a-privileged-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-with-suspicious-extension-downloaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-github-event-for-a-personal-access-token-pat.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-repo-interaction-from-a-new-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-user-interaction-with-private-repo.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-personal-access-token-pat.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-okta-user-session-started-via-proxy.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-personal-access-token-pat-use-for-a-github-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-private-repo-event-from-specific-github-personal-access-token-pat.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-personal-access-token-pat.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-commonly-abused-remote-access-tool-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-google-workspace-oauth-login-from-third-party-application.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-newcredentials-logon-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-removable-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/firsttime-seen-account-performing-dcsync.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/forwarded-google-workspace-security-alert.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-app-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-owner-role-granted-to-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-pat-access-revoked.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-protected-branch-settings-changed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-repo-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-repository-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-ueba-multiple-alerts-from-a-github-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-user-blocked-from-organization.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-drive-encryption-key-s-accessed-from-anonymous-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-object-copied-from-external-drive-and-access-granted-to-custom-application.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-suspended-user-account-renewed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/group-policy-discovery-via-microsoft-gpresult-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/hidden-files-and-directories-via-hidden-flag.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/high-mean-of-process-arguments-in-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/high-mean-of-rdp-session-duration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/high-number-of-cloned-github-repos-from-pat.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/high-variance-in-rdp-session-duration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/host-files-system-changes-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/image-loaded-with-invalid-signature.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/indirect-command-execution-via-forfiles-pcalua.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ingress-transfer-via-windows-bits.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/installutil-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/interactive-exec-command-launched-against-a-running-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/interactive-logon-by-an-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kernel-driver-load-by-non-root-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kernel-driver-load.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kernel-load-or-unload-via-kexec-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kirbi-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-group-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-init-pid-1-secret-dump-via-gdb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-process-hooking-via-gdb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-linux-binary-s.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-system-information-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-user-added-to-privileged-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/member-removed-from-github-organization.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/memory-dump-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/mfa-deactivation-with-no-re-activation-for-okta-user-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-impossible-travel-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-exchange-transport-agent-install-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/modification-of-dynamic-linker-preload-shared-object-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/mofcomp-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/mount-launched-inside-a-privileged-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-alerts-involving-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-client-addresses-for-a-single-user-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-sessions-detected-for-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-user-auth-events-with-same-device-token-hash-behind-a-proxy.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/my-first-rule.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/netcat-listener-established-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/netcat-listener-established-via-rlwrap.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/netsh-helper-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-cat.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-kworker.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-connection-from-binary-with-rwx-memory-region.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-connection-via-recently-compiled-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-level-authentication-nla-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-traffic-capture-via-cap-net-raw.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-github-app-installed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-github-owner-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-okta-authentication-behavior-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-okta-identity-provider-idp-added-by-admin.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-systemd-service-created-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-systemd-timer-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-user-added-to-github-organization.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/office-test-registry-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-fastpass-phishing-detection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-sign-in-events-via-third-party-idp.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-threatinsight-threat-suspected-promotion.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-user-sessions-started-from-different-geolocations.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-abuse-of-resources-by-high-token-count-and-large-response-sizes.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-adidns-poisoning-via-wildcard-record-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-antimalware-scan-interface-bypass-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-buffer-overflow-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-chroot-container-escape-via-mount.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-code-execution-via-postgresql.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-container-escape-via-modified-notify-on-release-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-container-escape-via-modified-release-agent-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-memory-dump-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-cross-site-scripting-xss.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-curl-cve-2023-38545-exploitation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-region.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-cmstp-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-proot.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-dga-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-disabling-of-apparmor.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-enumeration-via-active-directory-web-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-evasion-via-windows-filtering-platform.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-execution-via-xzbackdoor.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-exploitation-of-an-unquoted-service-path-vulnerability.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-external-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-file-download-via-a-headless-browser.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-file-transfer-via-certreq.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-hidden-process-via-mount-hidepid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-backdoor-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-proc-filesystem.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-unshadow.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-hack-tool-launched.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-local-account-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-ransomware-note-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-ssh-x11-forwarding.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-tunneling-and-or-port-forwarding.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-browser-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-business-app-installer.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-communication-apps.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-vlc-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-memory-seeking-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-meterpreter-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-scan-executed-from-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-share-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-sweep-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-non-standard-port-http-https-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-okta-mfa-bombing-via-push-notifications.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-outgoing-rdp-connection-by-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-pass-the-hash-pth-attempt.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-init-d-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-motd-file-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-run-control-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-systemd-udevd.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-author.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-function-names.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-powershell-pass-the-hash-relay-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-through-writable-docker-socket.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-container-misconfiguration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-cve-2022-38028.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-cve-2023-4911.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-enlightenment.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-linux-dac-permissions.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-overlayfs.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-python-cap-setuid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-recently-compiled-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-process-injection-from-malicious-document.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-pspy-process-monitoring-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-ransomware-note-file-dropped-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-remote-code-execution-via-web-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-remote-file-execution-via-msiexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-background-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-child.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-java.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-udp.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-shell-via-wildcard-injection-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-ssh-it-ssh-worm-downloaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-successful-linux-ftp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-successful-linux-rdp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-successful-ssh-brute-force-attack.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-sudo-hijacking-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-sudo-token-manipulation-via-process-injection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-suspicious-clipboard-activity-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-suspicious-debugfs-root-device-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-suspicious-file-edit.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-syn-based-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-unauthorized-access-via-wildcard-injection-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-upgrade-of-non-interactive-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-veeam-credential-access-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-widespread-malware-infection-across-multiple-hosts.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-windows-session-hijacking-via-ccmexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potentially-successful-mfa-bombing-via-push-notifications.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potentially-suspicious-process-started-via-tmux-or-screen.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-invoke-ninjacopy-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-kerberos-ticket-dump.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-mailbox-collection-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-archive-compression-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-discovery-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-encryption-decryption-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-log-clear-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-password-policy-discovery-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-remote-execution-capabilities-via-winrm.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-veeam-credential-access-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-webcam-video-capture-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-clipboard-retrieval-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/privilege-escalation-via-cap-chown-cap-fowner-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/privilege-escalation-via-cap-setuid-setgid-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/privilege-escalation-via-gdb-cap-sys-ptrace.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-capability-enumeration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-created-with-a-duplicated-token.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-discovery-using-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-discovery-via-built-in-applications.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/processes-with-trailing-spaces.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/proxychains-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/python-script-execution-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/query-registry-using-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/rare-smb-connection-to-the-internet.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/remote-scheduled-task-creation-via-rpc.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/remote-xsl-script-execution-via-com.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/renamed-utility-executed-with-short-program-name.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/root-network-connection-via-gdb-cap-sys-ptrace.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/route53-resolver-query-log-configuration-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/screenconnect-server-spawning-suspicious-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/segfault-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sensitive-files-compression-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sensitive-keys-or-passwords-searched-for-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/service-disabled-via-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/service-path-modification-via-sc-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/service-path-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/setcap-setuid-setgid-capability-set.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/shell-configuration-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/shortcut-file-written-or-modified-on-startup-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-number-of-connections-made-from-a-source-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-number-of-connections-made-to-a-destination-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-number-of-processes-in-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-remote-file-transfers.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-successful-logon-events-from-a-source-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-authorized-keys-file-modified-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-connection-established-inside-a-running-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-process-launched-from-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/statistical-model-detected-c2-beaconing-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/stolen-credentials-used-to-login-to-okta-account-after-mfa-reset.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sudo-command-enumeration-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suid-sguid-enumeration-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-access-to-ldap-attributes.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-antimalware-scan-interface-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-apt-package-manager-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-apt-package-manager-network-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-communication-app-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-content-extracted-or-decompressed-via-funzip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-data-encryption-via-openssl-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-dynamic-linker-discovery-via-od.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-from-inet-cache.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-microsoft-office-add-ins.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-msiexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-file-changes-activity-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-file-creation-via-kworker.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-file-downloaded-from-google-drive.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-file-renamed-via-smb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-image-load-taskschd-dll-from-ms-office.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-inter-process-communication-via-outlook.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-interactive-shell-spawned-from-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-jetbrains-teamcity-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-kworker-uid-elevation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-lsass-process-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-memory-grep-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-365-mail-access-by-clientappid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-mining-process-creation-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-modprobe-file-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-module-loaded-by-lsass.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-net-code-compilation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-net-reflection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-connection-via-sudo-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-connection-via-systemd.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-tool-launched-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-passwd-file-event-action.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-proc-maps-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-proc-pseudo-file-system-enumeration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-process-spawned-from-motd-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-index-html-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-screenconnect-client-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-symbolic-link-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-sysctl-file-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-termination-of-esxi-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-troubleshooting-pack-cabinet-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-utility-launched-via-proxychains.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-web-browser-sensitive-file-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-which-enumeration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-wmi-event-subscription-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-hosts-file-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-network-connections-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-owner-user-discovery-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-service-discovery-through-built-in-windows-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-time-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/tainted-kernel-module-load.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/tainted-out-of-tree-kernel-module-load.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/tampering-of-shell-command-line-history.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-hash-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-ip-address-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-url-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-windows-registry-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/trap-signals-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/uid-elevation-from-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unix-socket-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unknown-execution-of-binary-with-rwx-memory-region.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-bits-service-client-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-a-trusted-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-svchost.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/untrusted-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-discovery-activity-by-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-discovery-signal-alert-with-unusual-process-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-discovery-signal-alert-with-unusual-process-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-execution-via-microsoft-common-console-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-high-confidence-misconduct-blocks-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-linux-network-configuration-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-linux-user-discovery-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-parent-process-for-cmd-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-execution-on-wbem-path.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-for-mssql-service-accounts.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-writing-data-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-remote-file-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-remote-file-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-remote-file-size.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-time-or-day-for-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-user-privilege-enumeration-via-id.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/veeam-backup-library-loaded-by-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/werfault-reflectdebugger-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-account-or-group-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-installer-with-suspicious-properties.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-subsystem-for-linux-distribution-installed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-system-information-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-system-network-connections-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/wmi-wbemtest-utility-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/writedac-access-on-active-directory-object.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-access-to-keychain-credentials-directories.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-access-to-keychain-credentials-directories.asciidoc new file mode 100644 index 0000000000..c47cd32b56 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-access-to-keychain-credentials-directories.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-14-1-access-to-keychain-credentials-directories]] +=== Access to Keychain Credentials Directories + +Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x25.html +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Keychains/*", + "/Library/Keychains/*", + "/Network/Library/Keychains/*", + "System.keychain", + "login.keychain-db", + "login.keychain" + ) and + not process.args : ("find-certificate", + "add-trusted-cert", + "set-keychain-settings", + "delete-certificate", + "/Users/*/Library/Keychains/openvpn.keychain-db", + "show-keychain-info", + "lock-keychain", + "set-key-partition-list", + "import", + "find-identity") and + not process.parent.executable : + ( + "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect", + "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise", + "/opt/jc/bin/jumpcloud-agent" + ) and + not process.executable : ("/opt/jc/bin/jumpcloud-agent", "/usr/bin/basename") and + not process.Ext.effective_parent.executable : ("/opt/rapid7/ir_agent/ir_agent", + "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint", + "/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService", + "/usr/local/jamf/bin/jamf", + "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-adversary-behavior-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-adversary-behavior-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..fc53f93fb2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-adversary-behavior-detected-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-14-1-adversary-behavior-detected-elastic-endgame]] +=== Adversary Behavior - Detected - Elastic Endgame + +Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc new file mode 100644 index 0000000000..5c56f2ce09 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-14-1-alternate-data-stream-creation-execution-at-volume-root-directory]] +=== Alternate Data Stream Creation/Execution at Volume Root Directory + +Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-endpoint.events.file-* +* logs-windows.sysmon_operational-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and event.category in ("file", "process") and + ( + (event.type == "creation" and file.path regex~ """[A-Z]:\\:.+""") or + (event.type == "start" and process.executable regex~ """[A-Z]:\\:.+""") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-apple-scripting-execution-with-administrator-privileges.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-apple-scripting-execution-with-administrator-privileges.asciidoc new file mode 100644 index 0000000000..eb933ae783 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-apple-scripting-execution-with-administrator-privileges.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-14-1-apple-scripting-execution-with-administrator-privileges]] +=== Apple Scripting Execution with Administrator Privileges + +Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://discussions.apple.com/thread/2266150 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*with administrator privileges" and + not process.parent.name : "Electron" and + not process.Ext.effective_parent.executable : ("/Applications/Visual Studio Code.app/Contents/MacOS/Electron", + "/Applications/OpenVPN Connect/Uninstall OpenVPN Connect.app/Contents/MacOS/uninstaller") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-authorization-plugin-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-authorization-plugin-modification.asciidoc new file mode 100644 index 0000000000..0c380c60ce --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-authorization-plugin-modification.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-14-1-authorization-plugin-modification]] +=== Authorization Plugin Modification + +Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/documentation/security/authorization_plug-ins +* https://www.xorrior.com/persistent-credential-theft/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:deletion and + file.path:(/Library/Security/SecurityAgentPlugins/* and + not (/Library/Security/SecurityAgentPlugins/KandjiPassport.bundle/* or /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*)) and + not (process.name:shove and process.code_signature.trusted:true) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Authentication Package +** ID: T1547.002 +** Reference URL: https://attack.mitre.org/techniques/T1547/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc new file mode 100644 index 0000000000..be83512020 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-14-1-aws-ec2-admin-credential-fetch-via-assumed-role]] +=== AWS EC2 Admin Credential Fetch via Assumed Role + +Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: Amazon EC2 +* Use Case: Identity and Access Audit +* Resources: Investigation Guide +* Tactic: Credential Access + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating AWS EC2 Admin Credential Fetch via Assumed Role* + + +This rule detects the first occurrence of a user identity using the `GetPasswordData` API call in AWS, which retrieves the administrator password of an EC2 instance. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances. + +This is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call. + + +*Possible Investigation Steps* + + +- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user. +- **Review Request and Response Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields to understand the context of the API call and the retrieved password. +- **Contextualize with User Behavior**: Compare this activity against the user's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the user or role prior to and following the incident. +- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password was retrieved. Assess the criticality and sensitivity of the applications running on this instance. +- **Examine Related CloudTrail Events**: Search for other API calls made by the same user identity, especially those modifying security groups, network access controls, or instance metadata. +- **Check for Lateral Movement**: Look for evidence that the obtained credentials have been used to access other resources or services within AWS. +- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity. + + +*False Positive Analysis* + + +- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates. +- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes. + + +*Response and Remediation* + + +- **Immediate Isolation**: If suspicious, isolate the affected instance to prevent any potential lateral movement or further unauthorized actions. +- **Credential Rotation**: Rotate credentials of the affected instance or assumed role and any other potentially compromised credentials. +- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse. +- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances. +- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems. +- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`. + + +*Additional Information* + + +Refer to resources like https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc[AWS privilege escalation methods] and the MITRE ATT&CK technique https://attack.mitre.org/techniques/T1552/005/[T1552.005 - Cloud Instance Metadata API] for more details on potential vulnerabilities and mitigation strategies. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:"aws.cloudtrail" + and event.provider:"ec2.amazonaws.com" and event.action:"GetPasswordData" + and aws.cloudtrail.user_identity.type:"AssumedRole" and aws.cloudtrail.error_code:"Client.UnauthorizedOperation" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Cloud Instance Metadata API +** ID: T1552.005 +** Reference URL: https://attack.mitre.org/techniques/T1552/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-component-object-model-hijacking.asciidoc new file mode 100644 index 0000000000..ee037140d5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-component-object-model-hijacking.asciidoc @@ -0,0 +1,208 @@ +[[prebuilt-rule-8-14-1-component-object-model-hijacking]] +=== Component Object Model Hijacking + +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.registry-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 113 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Component Object Model Hijacking* + + +Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file referenced in the registry and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + + +*Setup* + + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY" and process.executable != null and + ( + ( + registry.path : "HK*\\InprocServer32\\" and + registry.data.strings: ("scrobj.dll", "?:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*" + ) or + + ( + registry.path : "HKLM\\*\\InProcServer32\\*" and + registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") + ) or + + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + ( + registry.path : ( + "HKEY_USERS\\*\\InprocServer32\\", + "HKEY_USERS\\*\\LocalServer32\\", + "HKEY_USERS\\*\\DelegateExecute", + "HKEY_USERS\\*\\TreatAs\\", + "HKEY_USERS\\*\\ScriptletURL*" + ) + ) + ) and + + not ( + process.code_signature.trusted == true and + process.code_signature.subject_name in + ("Island Technology Inc.", "Google LLC", "Grammarly, Inc.", "Dropbox, Inc", "REFINITIV US LLC", "HP Inc.", + "Citrix Systems, Inc.", "Adobe Inc.", "Veeam Software Group GmbH", "Zhuhai Kingsoft Office Software Co., Ltd.", + "Oracle America, Inc.") + ) and + + /* excludes Microsoft signed noisy processes */ + not + ( + process.name : ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe", "MicrosoftEdgeUpdate.exe", "msrdcw.exe", "MicrosoftEdgeUpdateComRegisterShell64.exe") and + process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") + ) and + + not process.executable : + ("?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\regsvr32.exe", + "?:\\Windows\\System32\\regsvr32.exe", + "?:\\Windows\\System32\\DriverStore\\FileRepository\\*.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-connection-to-commonly-abused-web-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-connection-to-commonly-abused-web-services.asciidoc new file mode 100644 index 0000000000..6c7321e8d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-connection-to-commonly-abused-web-services.asciidoc @@ -0,0 +1,297 @@ +[[prebuilt-rule-8-14-1-connection-to-commonly-abused-web-services]] +=== Connection to Commonly Abused Web Services + +Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.network-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 113 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Connection to Commonly Abused Web Services* + + +Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. + +This rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html[Investigate Markdown Plugin] introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + - !{investigate{"label":"Alerts associated with the user in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} + - !{investigate{"label":"Alerts associated with the host in the last 48h","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.name","queryType":"phrase","value":"{{host.name}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}} +- Verify whether the digital signature exists in the executable. +- Identify the operation type (upload, download, tunneling, etc.). +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - !{investigate{"label":"Investigate the Subject Process Network Events","providers":[[{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]]}} + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +*False positive analysis* + + +- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and network.protocol == "dns" and + process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + /* Add new WebSvc domains here */ + dns.question.name : + ( + "raw.githubusercontent.*", + "pastebin.*", + "paste4btc.com", + "paste.ee", + "ghostbin.com", + "drive.google.com", + "?.docs.live.net", + "api.dropboxapi.*", + "content.dropboxapi.*", + "dl.dropboxusercontent.*", + "api.onedrive.com", + "*.onedrive.org", + "onedrive.live.com", + "filebin.net", + "*.ngrok.io", + "ngrok.com", + "*.portmap.*", + "*serveo.net", + "*localtunnel.me", + "*pagekite.me", + "*localxpose.io", + "*notabug.org", + "rawcdn.githack.*", + "paste.nrecom.net", + "zerobin.net", + "controlc.com", + "requestbin.net", + "slack.com", + "api.slack.com", + "slack-redir.net", + "slack-files.com", + "cdn.discordapp.com", + "discordapp.com", + "discord.com", + "apis.azureedge.net", + "cdn.sql.gg", + "?.top4top.io", + "top4top.io", + "www.uplooder.net", + "*.cdnmegafiles.com", + "transfer.sh", + "gofile.io", + "updates.peer2profit.com", + "api.telegram.org", + "t.me", + "meacz.gq", + "rwrd.org", + "*.publicvm.com", + "*.blogspot.com", + "api.mylnikov.org", + "file.io", + "stackoverflow.com", + "*files.1drv.com", + "api.anonfile.com", + "*hosting-profi.de", + "ipbase.com", + "ipfs.io", + "*up.freeo*.space", + "api.mylnikov.org", + "script.google.com", + "script.googleusercontent.com", + "api.notion.com", + "graph.microsoft.com", + "*.sharepoint.com", + "mbasic.facebook.com", + "login.live.com", + "api.gofile.io", + "api.anonfiles.com", + "api.notion.com", + "api.trello.com", + "gist.githubusercontent.com", + "files.pythonhosted.org", + "g.live.com", + "*.zulipchat.com", + "webhook.site", + "run.mocky.io", + "mockbin.org") and + + /* Insert noisy false positives here */ + not ( + ( + process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe", + "?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe" + ) + ) or + + /* Discord App */ + (process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and + process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com") + ) or + + /* MS Sharepoint */ + (process.name : "Microsoft.SharePoint.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and + process.code_signature.trusted == true) and dns.question.name : "onedrive.live.com" + ) or + + /* Firefox */ + (process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and + process.code_signature.trusted == true) + ) or + + /* Dropbox */ + (process.name : "Dropbox.exe" and (process.code_signature.subject_name : "Dropbox, Inc" and + process.code_signature.trusted == true) and dns.question.name : ("api.dropboxapi.com", "*.dropboxusercontent.com") + ) or + + /* Obsidian - Plugins are stored on raw.githubusercontent.com */ + (process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and + process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com" + ) or + + /* WebExperienceHostApp */ + (process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and + process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com") + ) or + + (process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and + dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com", "login.live.com")) or + + (process.code_signature.trusted == true and + process.code_signature.subject_name : + ("Johannes Schindelin", + "Redis Inc.", + "Slack Technologies, LLC", + "Cisco Systems, Inc.", + "Dropbox, Inc", + "Amazon.com Services LLC")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ +* Sub-technique: +** Name: Exfiltration to Code Repository +** ID: T1567.001 +** Reference URL: https://attack.mitre.org/techniques/T1567/001/ +* Sub-technique: +** Name: Exfiltration to Cloud Storage +** ID: T1567.002 +** Reference URL: https://attack.mitre.org/techniques/T1567/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-container-workload-protection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-container-workload-protection.asciidoc new file mode 100644 index 0000000000..dfcf2c5d8d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-container-workload-protection.asciidoc @@ -0,0 +1,60 @@ +[[prebuilt-rule-8-14-1-container-workload-protection]] +=== Container Workload Protection + +Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-cloud_defend.alerts-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Defend for Containers +* Domain: Container + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:cloud_defend + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-dumping-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-dumping-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..f589c641de --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-dumping-detected-elastic-endgame.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-14-1-credential-dumping-detected-elastic-endgame]] +=== Credential Dumping - Detected - Elastic Endgame + +Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-dumping-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-dumping-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..0d2ddbdbdd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-dumping-prevented-elastic-endgame.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-14-1-credential-dumping-prevented-elastic-endgame]] +=== Credential Dumping - Prevented - Elastic Endgame + +Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-manipulation-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-manipulation-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..f5097a0504 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-manipulation-detected-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-14-1-credential-manipulation-detected-elastic-endgame]] +=== Credential Manipulation - Detected - Elastic Endgame + +Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-manipulation-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-manipulation-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..bc301e2f7e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-credential-manipulation-prevented-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-14-1-credential-manipulation-prevented-elastic-endgame]] +=== Credential Manipulation - Prevented - Elastic Endgame + +Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ec2-ami-shared-with-another-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ec2-ami-shared-with-another-account.asciidoc new file mode 100644 index 0000000000..f25443bb2d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ec2-ami-shared-with-another-account.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-14-1-ec2-ami-shared-with-another-account]] +=== EC2 AMI Shared with Another Account + +Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html +* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html +* https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/ + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS EC2 +* Use Case: Threat Detection +* Tactic: Exfiltration + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating EC2 AMI Shared with Another Account* + + +This rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control. + + +*Possible Investigation Steps* + + +- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts. + - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared. +- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it. +- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions. +- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources. +- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments. +- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing. + + +*False Positive Analysis* + + +- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating. +- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior. + + +*Response and Remediation* + + +- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI. +- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns. +- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery. +- **Policy Update**: Review and possibly update your organization’s policies on AMI sharing to tighten control and prevent unauthorized access. +- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing. + + +*Additional Information* + + +For more information on managing and sharing AMIs, refer to the https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html[Amazon EC2 User Guide on AMIs] and https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html[Sharing AMIs]. Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/[here]. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" and event.provider: "ec2.amazonaws.com" + and event.action: ModifyImageAttribute and event.outcome: success + and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Transfer Data to Cloud Account +** ID: T1537 +** Reference URL: https://attack.mitre.org/techniques/T1537/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-endpoint-security.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-endpoint-security.asciidoc new file mode 100644 index 0000000000..913685198e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-endpoint-security.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-14-1-endpoint-security]] +=== Endpoint Security + +Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.alerts-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Defend + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:(endpoint and not endgame) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-enumeration-of-users-or-groups-via-built-in-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-enumeration-of-users-or-groups-via-built-in-commands.asciidoc new file mode 100644 index 0000000000..97cd23e088 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-enumeration-of-users-or-groups-via-built-in-commands.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-8-14-1-enumeration-of-users-or-groups-via-built-in-commands]] +=== Enumeration of Users or Groups via Built-in Commands + +Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + process.name : ("ldapsearch", "dsmemberutil") or + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + ) and + ((process.Ext.effective_parent.executable : ("/Volumes/*", "/Applications/*") or process.parent.executable : ("/Volumes/*", "/Applications/*")) or + (process.Ext.effective_parent.name : ".*" or process.parent.name : ".*")) and + not process.Ext.effective_parent.executable : ("/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent", + "/Applications/Kaspersky Anti-Virus For Mac.app/Contents/MacOS/kavd.app/Contents/MacOS/kavd", + "/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_ctl", + "/Applications/NordVPN.app/Contents/MacOS/NordVPN", + "/Applications/Xcode.app/Contents/MacOS/Xcode", + "/Applications/ESET Endpoint Security.app/Contents/Helpers/Uninstaller.app/Contents/MacOS/Uninstaller", + "/Applications/Parallels Desktop.app/Contents/MacOS/prl_client_app", + "/Applications/Zscaler/Zscaler.app/Contents/MacOS/Zscaler", + "/Applications/com.avast.av.uninstaller.app/Contents/MacOS/com.avast.av.uninstaller", + "/Applications/NoMAD.app/Contents/MacOS/NoMAD", + "/Applications/ESET Management Agent.app/Contents/MacOS/ERAAgent") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-exploit-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-exploit-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..5b7e9dfef5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-exploit-detected-elastic-endgame.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-14-1-exploit-detected-elastic-endgame]] +=== Exploit - Detected - Elastic Endgame + +Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-exploit-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-exploit-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..ec3c46176f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-exploit-prevented-elastic-endgame.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-14-1-exploit-prevented-elastic-endgame]] +=== Exploit - Prevented - Elastic Endgame + +Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-external-alerts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-external-alerts.asciidoc new file mode 100644 index 0000000000..7ed1b64d41 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-external-alerts.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-14-1-external-alerts]] +=== External Alerts + +Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. + +*Rule type*: query + +*Rule indices*: + +* apm-*-transaction* +* traces-apm* +* auditbeat-* +* filebeat-* +* logs-* +* packetbeat-* +* winlogbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* OS: Windows +* Data Source: APM +* OS: macOS +* OS: Linux + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and not event.module:(endgame or endpoint or cloud_defend) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-finder-sync-plugin-registered-and-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-finder-sync-plugin-registered-and-enabled.asciidoc new file mode 100644 index 0000000000..63502b186d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-finder-sync-plugin-registered-and-enabled.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-14-1-finder-sync-plugin-registered-and-enabled]] +=== Finder Sync Plugin Registered and Enabled + +Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and + process.args : "-e" and process.args : "use" and process.args : "-i" and + not process.args : + ( + "com.google.GoogleDrive.FinderSyncAPIExtension", + "com.google.drivefs.findersync", + "com.boxcryptor.osx.Rednif", + "com.adobe.accmac.ACCFinderSync", + "com.microsoft.OneDrive.FinderSync", + "com.insynchq.Insync.Insync-Finder-Integration", + "com.box.desktop.findersyncext" + ) and + not process.parent.executable : ("/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp", + "/Applications/Google Drive.app/Contents/MacOS/Google Drive") and + not process.Ext.effective_parent.executable : ("/Applications/Google Drive.app/Contents/MacOS/Google Drive", + "/usr/local/jamf/bin/jamf", + "/Applications/Nextcloud.app/Contents/MacOS/Nextcloud", + "/Library/Application Support/Checkpoint/Endpoint Security/AMFinderExtensions.app/Contents/MacOS/AMFinderExtensions", + "/Applications/pCloud Drive.app/Contents/MacOS/pCloud Drive") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-keychain-password-retrieval-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-keychain-password-retrieval-via-command-line.asciidoc new file mode 100644 index 0000000000..3831be5640 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-keychain-password-retrieval-via-command-line.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-14-1-keychain-password-retrieval-via-command-line]] +=== Keychain Password Retrieval via Command Line + +Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.netmeister.org/blog/keychain-passwords.html +* https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py +* https://ss64.com/osx/security.html +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.action == "exec" and + process.name : "security" and + process.args : ("-wa", "-ga") and process.args : ("find-generic-password", "find-internet-password") and + process.command_line : ("*Chrome*", "*Chromium*", "*Opera*", "*Safari*", "*Brave*", "*Microsoft Edge*", "*Firefox*") and + not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-macos-installer-package-spawns-network-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-macos-installer-package-spawns-network-event.asciidoc new file mode 100644 index 0000000000..3becf9fe96 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-macos-installer-package-spawns-network-event.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-14-1-macos-installer-package-spawns-network-event]] +=== MacOS Installer Package Spawns Network Event + +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://redcanary.com/blog/clipping-silver-sparrows-wings +* https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 +* https://github.com/D00MFist/Mystikal + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=15s +[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] by process.entity_id +[network where host.os.type == "macos" and event.type == "start" and process.name : ("curl", "osascript", "wget", "python", "java", "ruby", "node")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-malware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-malware-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..fbc6de598e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-malware-detected-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-14-1-malware-detected-elastic-endgame]] +=== Malware - Detected - Elastic Endgame + +Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-malware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-malware-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..bd2a4fef26 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-malware-prevented-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-14-1-malware-prevented-elastic-endgame]] +=== Malware - Prevented - Elastic Endgame + +Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc new file mode 100644 index 0000000000..c85d760ba1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-14-1-modification-of-environment-variable-via-unsigned-or-untrusted-parent]] +=== Modification of Environment Variable via Unsigned or Untrusted Parent + +Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name:launchctl and + (process.parent.code_signature.exists : false or process.parent.code_signature.trusted : false) and + process.args:(setenv and not (ANT_HOME or + DBUS_LAUNCHD_SESSION_BUS_SOCKET or + EDEN_ENV or + LG_WEBOS_TV_SDK_HOME or + RUNTIME_JAVA_HOME or + WEBOS_CLI_TV or + JAVA*_HOME) and + not *.vmoptions) and + not process.parent.executable:("/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper" or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /usr/local/bin/kr) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Path Interception by PATH Environment Variable +** ID: T1574.007 +** Reference URL: https://attack.mitre.org/techniques/T1574/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-permission-theft-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-permission-theft-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..1736201e7c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-permission-theft-detected-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-14-1-permission-theft-detected-elastic-endgame]] +=== Permission Theft - Detected - Elastic Endgame + +Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-permission-theft-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-permission-theft-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..3ecf5b70d5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-permission-theft-prevented-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-14-1-permission-theft-prevented-elastic-endgame]] +=== Permission Theft - Prevented - Elastic Endgame + +Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-persistence-via-docker-shortcut-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-persistence-via-docker-shortcut-modification.asciidoc new file mode 100644 index 0000000000..f3890587be --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-persistence-via-docker-shortcut-modification.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-14-1-persistence-via-docker-shortcut-modification]] +=== Persistence via Docker Shortcut Modification + +An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and event.action:modification and + file.path:/Users/*/Library/Preferences/com.apple.dock.plist and + not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) and + not process.executable:(/Library/Addigy/download-cache/* or "/Library/Kandji/Kandji Agent.app/Contents/MacOS/kandji-library-manager") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-persistence-via-folder-action-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-persistence-via-folder-action-script.asciidoc new file mode 100644 index 0000000000..1c49d4966e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-persistence-via-folder-action-script.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-8-14-1-persistence-via-folder-action-script]] +=== Persistence via Folder Action Script + +Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type : "start" and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and + process.parent.name == "com.apple.foundation.UserScriptService" and not process.args : ("/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt", "/Users/*/Library/Application Scripts/com.microsoft.*/FoxitUtils.applescript") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-admin-group-account-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-admin-group-account-addition.asciidoc new file mode 100644 index 0000000000..4113d1bb56 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-admin-group-account-addition.asciidoc @@ -0,0 +1,107 @@ +[[prebuilt-rule-8-14-1-potential-admin-group-account-addition]] +=== Potential Admin Group Account Addition + +Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin" or admin) and ("-a" or "-append")) and + not process.Ext.effective_parent.executable : ("/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon" or + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService" or + "/opt/jc/bin/jumpcloud-agent" or + "/Library/Addigy/go-agent") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-file-download-via-a-headless-browser.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-file-download-via-a-headless-browser.asciidoc new file mode 100644 index 0000000000..435f213261 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-file-download-via-a-headless-browser.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-8-14-1-potential-file-download-via-a-headless-browser]] +=== Potential File Download via a Headless Browser + +Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Msedge/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Windows +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential File Download via a Headless Browser* + + +- Investigate the process execution chain (parent process tree). +- Investigate the process network and file events. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe") and + (process.args : "--headless*" or process.args : "data:text/html;base64,*") and + process.parent.name : + ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "conhost.exe", "msiexec.exe", + "explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe", + "pcalua.exe", "wmiprvse.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-persistence-via-login-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-persistence-via-login-hook.asciidoc new file mode 100644 index 0000000000..e407ea7bab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-persistence-via-login-hook.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-14-1-potential-persistence-via-login-hook]] +=== Potential Persistence via Login Hook + +Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + +Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system. + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:"deletion" and + file.name:"com.apple.loginwindow.plist" and + not process.name: (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor" or storagekitd or CloneKitService) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Plist File Modification +** ID: T1647 +** Reference URL: https://attack.mitre.org/techniques/T1647/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-powershell-hacktool-script-by-author.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-powershell-hacktool-script-by-author.asciidoc new file mode 100644 index 0000000000..a44f641759 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-powershell-hacktool-script-by-author.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-14-1-potential-powershell-hacktool-script-by-author]] +=== Potential PowerShell HackTool Script by Author + +Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.powershell* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: PowerShell Logs + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and + powershell.file.script_block_text : ( + "mattifestation" or "JosephBialek" or + "harmj0y" or "ukstufus" or + "SecureThisShit" or "Matthew Graeber" or + "secabstraction" or "mgeeky" or + "oddvarmoe" or "am0nsec" or + "obscuresec" or "sixdub" or + "darkoperator" or "funoverip" or + "rvrsh3ll" or "kevin_robertson" or + "dafthack" or "r4wd3r" or + "danielhbohannon" or "OneLogicalMyth" or + "cobbr_io" or "xorrior" or + "PetrMedonos" or "citronneur" or + "eladshamir" or "RastaMouse" or + "enigma0x3" or "FuzzySec" or + "424f424f" or "jaredhaight" or + "fullmetalcache" or "Hubbl3" or + "curi0usJack" or "Cx01N" or + "itm4n" or "nurfed1" or + "cfalta" or "Scott Sutherland" or + "_nullbind" or "_tmenochet" or + "Boe Prox" or "jaredcatkinson" or + "ChrisTruncer" or "monoxgas" or + "TheRealWover" or "splinter_code" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc new file mode 100644 index 0000000000..af5706aa3c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-14-1-potential-ransomware-behavior-high-count-of-readme-files-by-system]] +=== Potential Ransomware Behavior - High count of Readme files by System + +This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.file-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-1m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Possible investigation steps* + + +- Investigate the content of the readme files. +- Investigate any file names with unusual extensions. +- Investigate any incoming network connection to port 445 on this host. +- Investigate any network logon events to this host. +- Identify the total number and type of modified files by pid 4. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Local file modification from a Kernel mode driver. + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5 +- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and + file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-ransomware-note-file-dropped-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-ransomware-note-file-dropped-via-smb.asciidoc new file mode 100644 index 0000000000..670ba1ed2f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-ransomware-note-file-dropped-via-smb.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-14-1-potential-ransomware-note-file-dropped-via-smb]] +=== Potential Ransomware Note File Dropped via SMB + +Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events. + + +*Possible investigation steps* + + +- Investigate the source.ip address connecting to port 445 on this host. +- Identify the user account that performed the file creation via SMB. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Remote file creation with similar file naming convention via SMB. + + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "windows" and + event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and + source.ip != "127.0.0.1" and source.ip != "::1"] + [file where host.os.type == "windows" and event.action == "creation" and + process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and file.extension : ("hta", "txt", "readme", "htm*") and + /* ransom file name keywords */ + file.name : ("*read*me*", "*lock*", "*@*", "*RECOVER*", "*decrypt*", "*restore*file*", "*FILES_BACK*", "*how*to*")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-widespread-malware-infection-across-multiple-hosts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-widespread-malware-infection-across-multiple-hosts.asciidoc new file mode 100644 index 0000000000..676bb9e1c2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-potential-widespread-malware-infection-across-multiple-hosts.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-14-1-potential-widespread-malware-infection-across-multiple-hosts]] +=== Potential Widespread Malware Infection Across Multiple Hosts + +This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection. + +*Rule type*: esql + +*Rule indices*: None + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/elastic/protections-artifacts/tree/main/yara/rules + +*Tags*: + +* Domain: Endpoint +* Data Source: Elastic Defend +* Use Case: Threat Detection +* Tactic: Execution +* Rule Type: Higher-Order Rule + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +from logs-endpoint.alerts-* +| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null +| stats hosts = count_distinct(host.id) by rule.name, event.code +| where hosts >= 3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-process-injection-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-process-injection-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..a7bd73460e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-process-injection-detected-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-14-1-process-injection-detected-elastic-endgame]] +=== Process Injection - Detected - Elastic Endgame + +Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-process-injection-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-process-injection-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..e6de731ee2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-process-injection-prevented-elastic-endgame.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-14-1-process-injection-prevented-elastic-endgame]] +=== Process Injection - Prevented - Elastic Endgame + +Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-prompt-for-credentials-with-osascript.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-prompt-for-credentials-with-osascript.asciidoc new file mode 100644 index 0000000000..b31fdecd4c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-prompt-for-credentials-with-osascript.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-14-1-prompt-for-credentials-with-osascript]] +=== Prompt for Credentials with OSASCRIPT + +Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py +* https://ss64.com/osx/osascript.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "exec" and + process.name : "osascript" and process.args : "-e" and process.command_line : ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*") and + not (process.parent.executable : "/usr/bin/sudo" and process.command_line : "*Encryption Key Escrow*") and + not (process.command_line : "*-e with timeout of 3600 seconds*" and user.id == "0" and process.parent.executable : "/bin/bash") and + not process.Ext.effective_parent.executable : ("/usr/local/jamf/*", + "/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements", + "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: GUI Input Capture +** ID: T1056.002 +** Reference URL: https://attack.mitre.org/techniques/T1056/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc new file mode 100644 index 0000000000..58b479f94f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-14-1-quarantine-attrib-removed-by-unsigned-or-untrusted-process]] +=== Quarantine Attrib Removed by Unsigned or Untrusted Process + +Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://nixhacker.com/security-protection-in-macos-1/ +* https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action == "extended_attributes_delete" and process.executable != null and +(process.code_signature.trusted == false or process.code_signature.exists == false) and not +process.executable : ("/usr/bin/xattr", + "/System/*", + "/private/tmp/KSInstallAction.*/*/Install Google Software Update.app/Contents/Helpers/ksinstall", + "/Applications/CEWE Fotoschau.app/Contents/MacOS/FotoPlus", + "/Applications/.com.bomgar.scc.*/Remote Support Customer Client.app/Contents/MacOS/sdcust") and not +file.path : "/private/var/folders/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ransomware-detected-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ransomware-detected-elastic-endgame.asciidoc new file mode 100644 index 0000000000..d63b01eaea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ransomware-detected-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-14-1-ransomware-detected-elastic-endgame]] +=== Ransomware - Detected - Elastic Endgame + +Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ransomware-prevented-elastic-endgame.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ransomware-prevented-elastic-endgame.asciidoc new file mode 100644 index 0000000000..592ba5294a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-ransomware-prevented-elastic-endgame.asciidoc @@ -0,0 +1,59 @@ +[[prebuilt-rule-8-14-1-ransomware-prevented-elastic-endgame]] +=== Ransomware - Prevented - Elastic Endgame + +Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. + +*Rule type*: query + +*Rule indices*: + +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 10m + +*Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 10000 + +*References*: None + +*Tags*: + +* Data Source: Elastic Endgame + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. + +==== Rule query + + +[source, js] +---------------------------------- +event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-route53-resolver-query-log-configuration-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-route53-resolver-query-log-configuration-deleted.asciidoc new file mode 100644 index 0000000000..8463cd3d0d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-route53-resolver-query-log-configuration-deleted.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-14-1-route53-resolver-query-log-configuration-deleted]] +=== Route53 Resolver Query Log Configuration Deleted + +Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 10m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: Amazon Route53 +* Use Case: Log Auditing +* Resources: Investigation Guide +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + + +*Triage and Analysis* + + + +*Investigating Route53 Resolver Query Log Configuration Deleted* + + +This rule detects when a Route53 Resolver Query Log Configuration is deleted. Deleting these configurations stops the logging of DNS queries and responses, which can significantly impede network monitoring and compromise security visibility. Adversaries may delete these configurations to evade detection, remove evidence, or obscure their activities within a network. + +Adversaries target Route53 Resolver query log configurations because these logs can contain evidence of malicious domain queries or responses. By deleting these logs, an adversary can prevent the capture of information that could reveal unauthorized network activities, aiding in avoiding detection and thwarting incident response efforts. + + +*Possible Investigation Steps* + + +- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated. + - Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion. +- **Contextualize with User Actions**: Assess whether the deletion aligns with the user’s role and job responsibilities. + - Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign. +- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations. + - Investigate any recent permission changes that might indicate role abuse or credentials compromise. +- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion. + - This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems. +- **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action. + + +*False Positive Analysis* + + +- **Legitimate Administrative Actions**: Confirm that the deletion was part of scheduled IT operations or network management activities, possibly linked to maintenance or infrastructure updates. Validate this action against change management records or through interviews with relevant personnel. + + +*Response and Remediation* + + +- **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries. +- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations. + - Adjust AWS IAM policies to reinforce security measures. +- **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions. +- **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities. + + +*Additional Information* + + +For detailed instructions on managing Route53 Resolver and securing its configurations, refer to the https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html[Amazon Route53 Resolver documentation]. + + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com + and event.action: DeleteResolverQueryLogConfig and event.outcome: success + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Cloud Logs +** ID: T1562.008 +** Reference URL: https://attack.mitre.org/techniques/T1562/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-shell-execution-via-apple-scripting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-shell-execution-via-apple-scripting.asciidoc new file mode 100644 index 0000000000..b734f3efa0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-shell-execution-via-apple-scripting.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-14-1-shell-execution-via-apple-scripting]] +=== Shell Execution via Apple Scripting + +Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/technotes/tn2065/_index.html +* https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript" and process.args : "-e"] by process.entity_id + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : ("sh", "bash", "zsh") and process.args == "-c" and process.args : ("*curl*", "*pbcopy*", "*http*", "*chmod*")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-browser-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-browser-child-process.asciidoc new file mode 100644 index 0000000000..b5cb202524 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-browser-child-process.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-14-1-suspicious-browser-child-process]] +=== Suspicious Browser Child Process + +Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x43.html +* https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.parent.name : ("Google Chrome", "Google Chrome Helper*", "firefox", "Opera", "Safari", "com.apple.WebKit.WebContent", "Microsoft Edge") and + process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*", "osascript", "pwsh") and + process.command_line != null and + not process.command_line : "*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*" and + not process.args : + ( + "hw.model", + "IOPlatformExpertDevice", + "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh", + "/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper (Renderer).app/Contents/MacOS/Google Chrome Helper (Renderer)", + "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container", + "--defaults-torrc", + "*Chrome.app", + "Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh", + "/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery", + "$DISPLAY", + "*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*", + "/opt/homebrew/*", + "/usr/local/*brew*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Drive-by Compromise +** ID: T1189 +** Reference URL: https://attack.mitre.org/techniques/T1189/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-file-renamed-via-smb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-file-renamed-via-smb.asciidoc new file mode 100644 index 0000000000..22d527c10b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-file-renamed-via-smb.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-14-1-suspicious-file-renamed-via-smb]] +=== Suspicious File Renamed via SMB + +Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Performance* + + +- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events. + + +*Possible investigation steps* + + +- Investigate the source.ip address connecting to port 445 on this host. +- Identify the user account that performed the file creation via SMB. +- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials. +- Investigate other alerts associated with the user/host during the past 48 hours. + + +*False positive analysis* + + +- Remote file rename over SMB. + + +*Related rules* + + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 +- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5 + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "windows" and + event.action == "connection_accepted" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and + source.ip != "127.0.0.1" and source.ip != "::1"] + [file where host.os.type == "windows" and + event.action == "rename" and process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-*") and + file.extension != null and file.Ext.entropy >= 6 and + file.Ext.original.name : ("*.jpg", "*.bmp", "*.png", "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", "*.ppt", "*.pptx", "*.lnk") and + not file.extension : ("jpg", "bmp", "png", "pdf", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "*.lnk")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-macos-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-macos-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..21c7b2c363 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-macos-ms-office-child-process.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-14-1-suspicious-macos-ms-office-child-process]] +=== Suspicious macOS MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "exec" and + process.parent.name: ( + "Microsoft Word", + "Microsoft Outlook", + "Microsoft Excel", + "Microsoft PowerPoint", + "Microsoft OneNote" + ) and + process.name : ( + "curl", + "nscurl", + "bash", + "sh", + "osascript", + "python*", + "perl*", + "mktemp", + "chmod", + "php", + "nohup", + "openssl", + "plutil", + "PlistBuddy", + "xattr", + "mktemp", + "sqlite3", + "funzip", + "popen" + ) and + + // Filter FPs related to product version discovery and Office error reporting behavior + not process.args: + ( + "ProductVersion", + "hw.model", + "ioreg", + "ProductName", + "ProductUserVisibleVersion", + "ProductBuildVersion", + "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting", + "open -a Safari *", + "defaults read *", + "sysctl hw.model*", + "ioreg -d2 -c IOPlatformExpertDevice *", + "ps aux | grep 'ToDesk_Desktop' | grep -v grep", + "PIPE=\"$CFFIXED_USER_HOME/.zoteroIntegrationPipe*" + ) and + + not process.parent.executable : + ( + "/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service", + "/usr/local/Privacy-i/PISupervisor", + "/Library/Addigy/lan-cache", + "/Library/Elastic/Agent/*", + "/opt/jc/bin/jumpcloud-agent", + "/usr/sbin/networksetup" + ) and + not (process.name : "sh" and process.command_line : "*$CFFIXED_USER_HOME/.zoteroIntegrationPipe*") and + + not process.Ext.effective_parent.executable : ( + "/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service", + "/usr/local/Privacy-i/PISupervisor", + "/Library/Addigy/auditor", + "/Library/Elastic/Agent/*", + "/opt/jc/bin/jumpcloud-agent", + "/usr/sbin/networksetup" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-web-browser-sensitive-file-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-web-browser-sensitive-file-access.asciidoc new file mode 100644 index 0000000000..c7ed26cb06 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-suspicious-web-browser-sensitive-file-access.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-14-1-suspicious-web-browser-sensitive-file-access]] +=== Suspicious Web Browser Sensitive File Access + +Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.file.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.action == "open" and process.executable != null and + file.name : ("cookies.sqlite", + "key?.db", + "logins.json", + "Cookies", + "Cookies.binarycookies", + "Login Data") and + ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : "osascript") and + not process.code_signature.signing_id : "org.mozilla.firefox" and + not process.Ext.effective_parent.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-systemkey-access-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-systemkey-access-via-command-line.asciidoc new file mode 100644 index 0000000000..7c985db4c9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-systemkey-access-via-command-line.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-14-1-systemkey-access-via-command-line]] +=== SystemKey Access via Command Line + +Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.args:("/private/var/db/SystemKey" or "/var/db/SystemKey") and + not process.Ext.effective_parent.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-unusual-execution-via-microsoft-common-console-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-unusual-execution-via-microsoft-common-console-file.asciidoc new file mode 100644 index 0000000000..ae2bc11041 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-unusual-execution-via-microsoft-common-console-file.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-14-1-unusual-execution-via-microsoft-common-console-file]] +=== Unusual Execution via Microsoft Common Console File + +Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.process-* +* logs-windows.sysmon_operational-* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.genians.co.kr/blog/threat_intelligence/facebook + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Initial Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Sysmon + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Execution via Microsoft Common Console File* + + +- Investigate the source of the MSC file. +- Investigate the process execution chain (all spawned child processes and their descendants). +- Investigate the process and it's descendants network and file events. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. + + +*Response and remediation* + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.executable : "?:\\Windows\\System32\\mmc.exe" and endswith~(process.parent.args, ".msc") and + not process.parent.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-webproxy-settings-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-webproxy-settings-modification.asciidoc new file mode 100644 index 0000000000..95a18b3bcb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rule-8-14-1-webproxy-settings-modification.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-14-1-webproxy-settings-modification]] +=== WebProxy Settings Modification + +Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ +* https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +*Setup* + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and + not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or + "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or + "/usr/libexec/xpcproxy") and + not process.Ext.effective_parent.executable : ("/Applications/Proxyman.app/Contents/MacOS/Proxyman" or "/Applications/Incoggo.app/Contents/MacOS/Incoggo.app") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rules-8-14-1-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rules-8-14-1-appendix.asciidoc new file mode 100644 index 0000000000..308f72d142 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rules-8-14-1-appendix.asciidoc @@ -0,0 +1,57 @@ +["appendix",role="exclude",id="prebuilt-rule-8-14-1-prebuilt-rules-8-14-1-appendix"] += Downloadable rule update v8.14.1 + +This section lists all updates associated with version 8.14.1 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-14-1-potential-widespread-malware-infection-across-multiple-hosts.asciidoc[] +include::prebuilt-rule-8-14-1-aws-ec2-admin-credential-fetch-via-assumed-role.asciidoc[] +include::prebuilt-rule-8-14-1-route53-resolver-query-log-configuration-deleted.asciidoc[] +include::prebuilt-rule-8-14-1-ec2-ami-shared-with-another-account.asciidoc[] +include::prebuilt-rule-8-14-1-potential-file-download-via-a-headless-browser.asciidoc[] +include::prebuilt-rule-8-14-1-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc[] +include::prebuilt-rule-8-14-1-unusual-execution-via-microsoft-common-console-file.asciidoc[] +include::prebuilt-rule-8-14-1-potential-powershell-hacktool-script-by-author.asciidoc[] +include::prebuilt-rule-8-14-1-potential-ransomware-behavior-high-count-of-readme-files-by-system.asciidoc[] +include::prebuilt-rule-8-14-1-suspicious-file-renamed-via-smb.asciidoc[] +include::prebuilt-rule-8-14-1-potential-ransomware-note-file-dropped-via-smb.asciidoc[] +include::prebuilt-rule-8-14-1-container-workload-protection.asciidoc[] +include::prebuilt-rule-8-14-1-endpoint-security.asciidoc[] +include::prebuilt-rule-8-14-1-access-to-keychain-credentials-directories.asciidoc[] +include::prebuilt-rule-8-14-1-keychain-password-retrieval-via-command-line.asciidoc[] +include::prebuilt-rule-8-14-1-webproxy-settings-modification.asciidoc[] +include::prebuilt-rule-8-14-1-prompt-for-credentials-with-osascript.asciidoc[] +include::prebuilt-rule-8-14-1-suspicious-web-browser-sensitive-file-access.asciidoc[] +include::prebuilt-rule-8-14-1-systemkey-access-via-command-line.asciidoc[] +include::prebuilt-rule-8-14-1-quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc[] +include::prebuilt-rule-8-14-1-modification-of-environment-variable-via-unsigned-or-untrusted-parent.asciidoc[] +include::prebuilt-rule-8-14-1-enumeration-of-users-or-groups-via-built-in-commands.asciidoc[] +include::prebuilt-rule-8-14-1-suspicious-browser-child-process.asciidoc[] +include::prebuilt-rule-8-14-1-macos-installer-package-spawns-network-event.asciidoc[] +include::prebuilt-rule-8-14-1-shell-execution-via-apple-scripting.asciidoc[] +include::prebuilt-rule-8-14-1-suspicious-macos-ms-office-child-process.asciidoc[] +include::prebuilt-rule-8-14-1-authorization-plugin-modification.asciidoc[] +include::prebuilt-rule-8-14-1-persistence-via-docker-shortcut-modification.asciidoc[] +include::prebuilt-rule-8-14-1-finder-sync-plugin-registered-and-enabled.asciidoc[] +include::prebuilt-rule-8-14-1-persistence-via-folder-action-script.asciidoc[] +include::prebuilt-rule-8-14-1-potential-persistence-via-login-hook.asciidoc[] +include::prebuilt-rule-8-14-1-apple-scripting-execution-with-administrator-privileges.asciidoc[] +include::prebuilt-rule-8-14-1-potential-admin-group-account-addition.asciidoc[] +include::prebuilt-rule-8-14-1-credential-dumping-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-credential-dumping-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-adversary-behavior-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-malware-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-malware-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-ransomware-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-ransomware-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-exploit-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-exploit-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-external-alerts.asciidoc[] +include::prebuilt-rule-8-14-1-credential-manipulation-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-credential-manipulation-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-permission-theft-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-permission-theft-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-process-injection-detected-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-process-injection-prevented-elastic-endgame.asciidoc[] +include::prebuilt-rule-8-14-1-connection-to-commonly-abused-web-services.asciidoc[] +include::prebuilt-rule-8-14-1-component-object-model-hijacking.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rules-8-14-1-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rules-8-14-1-summary.asciidoc new file mode 100644 index 0000000000..c7ded1cf95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-14-1/prebuilt-rules-8-14-1-summary.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-14-1-prebuilt-rules-8-14-1-summary]] +[role="xpack"] +== Update v8.14.1 + +This section lists all updates associated with version 8.14.1 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection. | new | 1 + +|<> | Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. | new | 2 + +|<> | Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks. | new | 1 + +|<> | Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well. | new | 1 + +|<> | Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions. | new | 1 + +|<> | Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. | new | 1 + +|<> | Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands. | new | 1 + +|<> | Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises. | new | 1 + +|<> | This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period. | new | 1 + +|<> | Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol. | new | 1 + +|<> | Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol. | new | 1 + +|<> | Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts. | update | 4 + +|<> | Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts. | update | 103 + +|<> | Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. | update | 207 + +|<> | Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. | update | 108 + +|<> | Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. | update | 206 + +|<> | Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. | update | 207 + +|<> | Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. | update | 207 + +|<> | Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials. | update | 206 + +|<> | Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. | update | 108 + +|<> | Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. | update | 206 + +|<> | Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. | update | 207 + +|<> | Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation. | update | 107 + +|<> | Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. | update | 107 + +|<> | Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. | update | 107 + +|<> | Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. | update | 206 + +|<> | Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. | update | 107 + +|<> | An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. | update | 107 + +|<> | Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. | update | 206 + +|<> | Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. | update | 107 + +|<> | Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. | update | 108 + +|<> | Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. | update | 207 + +|<> | Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity. | update | 206 + +|<> | Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 104 + +|<> | Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. | update | 103 + +|<> | Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | update | 103 + +|<> | Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. | update | 113 + +|<> | Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. | update | 113 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index c285889192..cc7fb4878f 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -6,134 +6,20 @@ This section lists all updates to prebuilt detection rules, made available with To update your installed rules to the latest versions, follow the instructions in <>. +For previous rule updates, please navigate to the https://www.elastic.co/guide/en/security/8.12/prebuilt-rules-downloadable-updates.html[last version]. [width="100%",options="header"] |============================================== |Update version |Date | New rules | Updated rules | Notes -|<> | 15 Feb 2023 | 29 | 110 | -This release includes new rules for Windows and Linux endpoints. -Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. -A Google Workspace promotional rule was added to promote security alerts from the Alert Center. -Machine learning rules related to failed logins have been adjusted for better scoring results. -Additional investigation guides have been added for Windows and Linux rules. -A https://www.elastic.co/guide/en/security/current/rules-ui-create.html[New Terms] rule has been created to identify loaded Windows drivers not seen in the last 30 days. -A guided onboarding rule has been created to assist new SIEM users with getting started. -|<> | 15 Feb 2023 | 28 | 110 | -This release includes new rules for Windows and Linux endpoints. -Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. -A Google Workspace promotional rule was added to promote security alerts from the Alert Center. -Machine learning rules related to failed logins have been adjusted for better scoring results. -Additional investigation guides have been added for Windows and Linux rules. -A https://www.elastic.co/guide/en/security/current/rules-ui-create.html[New Terms] rule has been created to identify loaded Windows drivers not seen in the last 30 days. +|<> | 15 May 2024 | 11 | 40 | +This release includes new rules for Windows and AWS integration and tuned rules for Windows and MacOS. +New rules for Windows include detection for impact, execution, command and control and defense evasion. +New rules for AWS include detection for persistence, defense evasion, exfiltration and credential access. +Additionally, significant rule tuning for Windows and MacOS rules has been added for better rule efficacy and performance. -|<> | 14 Feb 2023 | 27 | 110 | -This release includes new rules for Windows and Linux endpoints. -Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. -A Google Workspace promotional rule was added to promote security alerts from the Alert Center. -Machine learning rules related to failed logins have been adjusted for better scoring results. -Additional investigation guides have been added for Windows and Linux rules. - -|<> | 14 Feb 2023 | 27 | 110 | -This release includes new rules for Windows and Linux endpoints. -Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. -A Google Workspace promotional rule was added to promote security alerts from the Alert Center. -Machine learning rules related to failed logins have been adjusted for better scoring results. -Additional investigation guides have been added for Windows and Linux rules. - -|<> | 24 Jan 2023 | 5 | 494 | -This release includes new rules for Windows regarding Microsoft Exchange interaction via Powershell. -Additionally, significant rule tuning for Windows rules has been added for better rule efficacy. -A new rule for multiple alerts with different ATT&CK tactics on a single host has also been included. -A new rule for multiple alerts involving a single user has been added. -Related integration tags and recommended versions have been added to endpoint rules. -Bug fixes for OSQuery execution in rule investigation guides has been added. - -|<> | 24 Jan 2023 | 1 | 4 | -This release includes new rules for Windows regarding Microsoft Exchange interaction via PowerShell. -A new rule for multiple alerts with different ATT&CK tactics on a single host has also been included. -Additionally, a new rule for multiple alerts involving a single user has been added. -This release also includes rule tuning for suspicious Windows Error Reporting child processes. - -|<> | 19 Jan 2023 | 17 | 500 | -This release includes new rules for Windows regarding Microsoft Exchange interaction via PowerShell. -Additionally, significant rule tuning for Windows rules has been added for better rule efficacy. -Related integration tags and recommended versions have been added to endpoint rules. -Bug fixes for OSQuery execution in rule investigation guides has been added. - -|<> | 05 Dec 2022 | 20 | 298 | -This release includes new rules for Linux regarding reverse shells. -Additionally, new windows rules have been added to supply coverage for credential access and access token manipulation. -Specific Windows and Linux rules have been tuned to reduce false-positive signals. - -|<> | 06 Oct 2022 | 25 | 232 | -This release includes new rules for Linux, Windows, Google Workspace and Kubernetes. -Also included are expanded investigation guides for Linux, Windows and macOS rules. - -|<> | 26 Aug 2022 | 0 | 113 | -This release includes new rules for Linux, Windows, Google Workspace and Kubernetes. -Also included are expanded investigation and setup guides for Linux, Windows and macOS rules. -Rule compatability for required event fields and related Fleet integrations has also been included. - -|<> | 24 Aug 2022 | 442 | 96 | -This release includes new rules for Windows, MacOS, Linux, Kubernetes, and considerable tuning efforts. -Also included are expanded investion guides for Windows, Azure and AWS rules. - -|<> | 24 Jun 2022 | 14 | 159 | -This release includes new rules for Windows, MacOS, Linux and Kubernetes. -Also included are expanded investigation guides for Windows rules. -Additionally, this update includes new rules to help detect emerging threat https://www.elastic.co/blog/a-peek-behind-the-bpfdoor[BPFDoor]. -Updates to existing Windows rules were made to help detect exploitation attempts against https://www.elastic.co/blog/vulnerability-summary-follina[CVE-2022-30190]. - -|<> | 03 May 2022 | 42 | 341 | -This release includes new rules for MacOS regarding initial access and persistence coverage. -New rules to detect shell evasion in Linux have also been added. -Also included are expanded investigation guides for Windows rules as well as new rules for credential theft and Active Directory (AD). -Additionally, this update includes new rules to help detect the emerging threat https://www.elastic.co/blog/detecting-and-responding-to-dirty-pipe-with-elastic[CVE-2022-0847 (Dirty Pipe)] - -|<> | 13 Dec 2021 | 35 | 45 | -This release includes an update to an existing rule and adds a new rule to help detect https://www.elastic.co/blog/detecting-log4j2-with-elastic-security[CVE-2021-44228 (log4j2)]. -Also included are updates and new rules for cloud integrations, windows, PowerShell, and others. - -|<> | 15 Oct 2021 | 18 | 89 | -This release includes rules covering Windows endpoints, as well as several third-party integrations — including rules contributed by the community. - -|<> | 08 Sep 2021 | 3 | 71 | -Included in this release is a rule to detect web shells, including -https://discuss.elastic.co/t/detection-and-response-for-proxyshell-activity/282407[ProxyShell] activity. - -|<> | 22 Jul 2021 | 4 | 36 | -Included in this release is a rule for Windows Defender Exclusions, which has been used in recent campaigns, as well as -a rule to resiliently detect parent PID spoofing. - -|<> | 07 Jul 2021 | 15 | 6 | -Included in this release are 3 new rules for the recently observed -https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples[REvil] -activity as well as 4 new rules covering the recent -https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527[PrintNightmare] vulnerability. - -|<> | 21 Jun 2021 | 4 | 41 | |============================================== - -include::downloadable-packages/0-13-1/prebuilt-rules-0-13-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-13-2/prebuilt-rules-0-13-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-13-3/prebuilt-rules-0-13-3-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-14-1/prebuilt-rules-0-14-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-14-2/prebuilt-rules-0-14-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-14-3/prebuilt-rules-0-14-3-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/1-0-2/prebuilt-rules-1-0-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-1-1/prebuilt-rules-8-1-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-2-1/prebuilt-rules-8-2-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-3-1/prebuilt-rules-8-3-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-3-2/prebuilt-rules-8-3-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-3-3/prebuilt-rules-8-3-3-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-3-4/prebuilt-rules-8-3-4-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-4-1/prebuilt-rules-8-4-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-4-2/prebuilt-rules-8-4-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-4-3/prebuilt-rules-8-4-3-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-5-1/prebuilt-rules-8-5-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-6-1/prebuilt-rules-8-6-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-7-1/prebuilt-rules-8-7-1-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-14-1/prebuilt-rules-8-14-1-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 980b406671..c6439db7d9 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -14,1450 +14,2230 @@ and their rule type is `machine_learning`. |Rule |Description |Tags |Added |Version -|<> |Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |2 <> +|<> |Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |8 -|<> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |2 <> +|<> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |8 -|<> |An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] [Credential Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs. |[Domain: LLM], [Data Source: AWS Bedrock], [Data Source: AWS S3], [Resources: Investigation Guide], [Use Case: Policy Violation], [Mitre Atlas: T0015], [Mitre Atlas: T0034] |8.13.0 |1 -|<> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] |7.9.0 |101 <> +|<> |Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system. |[Domain: LLM], [Data Source: AWS Bedrock], [Data Source: AWS S3], [Resources: Investigation Guide], [Use Case: Policy Violation], [Mitre Atlas: T0051], [Mitre Atlas: T0054] |8.13.0 |1 -|<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system. |[Domain: LLM], [Data Source: AWS Bedrock], [Data Source: AWS S3], [Resources: Investigation Guide], [Use Case: Policy Violation], [Mitre Atlas: T0051], [Mitre Atlas: T0054] |8.13.0 |1 -|<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Collection] |8.9.0 |207 -|<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |209 -|<> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |209 -|<> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Cloudtrail], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |209 -|<> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |209 -|<> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS CloudWatch], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |209 -|<> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS CloudWatch], [Use Case: Log Auditing], [Tactic: Impact], [Resources: Investigation Guide] |8.9.0 |209 -|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |209 -|<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.9.0 |101 <> +|<> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.14.0 |101 <> +|<> |This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.8.0 |1 -|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Impact] |8.9.0 |206 -|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: Amazon EC2], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |8.3.0 |2 -|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Tactic: Impact] |8.9.0 |206 -|<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Exfiltration], [Tactic: Collection] |8.9.0 |206 -|<> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.16.0 |101 <> +|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies when an ElastiCache security group has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |101 <> +|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identifies when an ElastiCache security group has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |101 <> +|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Resources: Investigation Guide] |8.9.0 |209 -|<> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Impact] |7.16.0 |101 <> +|<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Tactic: Collection] |8.9.0 |206 -|<> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Initial Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |206 -|<> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |Identifies when an ElastiCache security group has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies when an ElastiCache security group has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |206 -|<> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS SSM], [Use Case: Log Auditing], [Tactic: Initial Access], [Resources: Investigation Guide] |8.9.0 |209 -|<> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |101 <> +|<> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS STS], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.9.0 |209 -|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |101 <> +|<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |8.9.0 |210 -|<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Credential Access] [Persistence] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |209 -|<> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] |8.6.0 |1 +|<> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Use Case: Identity and Access Audit], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.10.0 |101 <> +|<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Tactic: Impact] |8.9.0 |206 -|<> |Identifies a successful login to the AWS Management Console by the Root user. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies when an AWS IAM login profile is added to a user. Adversaries may add a login profile to an IAM user who typically does not have one and is used only for programmatic access. This can be used to maintain access to the account even if the original access key is rotated or disabled. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS IAM], [Use Case: Identity and Access Audit], [Tactic: Persistence], [Rule Type: BBR] |8.9.0 |1 -|<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Signin], [Use Case: Identity and Access Audit], [Tactic: Initial Access] |8.9.0 |206 -|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |7.14.0 |101 <> +|<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access], [Tactic: Persistence], [Resources: Investigation Guide] |8.9.0 |209 -|<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS KMS], [Use Case: Log Auditing], [Tactic: Impact] |8.9.0 |106 -|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |101 <> +|<> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.9.0 |207 -|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |101 <> +|<> |Identifies a successful login to the AWS Management Console by the Root user. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Signin], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |8.9.0 |209 -|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] |7.16.0 |101 <> +|<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Defense Evasion] |7.16.0 |101 <> +|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |8.3.0 |101 <> +|<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Use Case: Asset Visibility], [Tactic: Impact] |8.9.0 |206 -|<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS RDS], [Tactic: Impact] |8.9.0 |206 -|<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration] |8.9.0 |206 -|<> |Identifies when an AWS Route Table has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |101 <> +|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identifies when an AWS Route Table has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |101 <> +|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Redshift], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.16.0 |101 <> +|<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Route53], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.9.0 |209 -|<> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Route53], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Route53], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies when an AWS Route Table has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Route53], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |207 -|<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.15.0 |101 <> +|<> |Identifies when an AWS Route Table has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Route53], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |207 -|<> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS Route53], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |206 -|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.9.0 |207 -|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS S3], [Resources: Investigation Guide], [Use Case: Log Auditing], [Tactic: Impact] |8.13.0 |1 -|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Elastic] [Host] [Linux] [Threat Detection] [Execution] [BPFDoor] [Investigation Guide] |8.3.0 |102 <> +|<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS STS], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.9.0 |206 -|<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Elastic] [Network] [Threat Detection] [Lateral Movement] [Investigation Guide] |7.10.0 |102 <> +|<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS EC2], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |206 -|<> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control] [Host] [Lateral Movement] [Initial Access] |7.6.0 |101 <> +|<> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS STS], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.9.0 |206 -|<> |Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.12.0 |100 <> +|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |209 -|<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.10.0 |100 <> +|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access] [Active Directory] |8.6.0 |1 +|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] [Active Directory] [Investigation Guide] |8.2.0 |102 <> +|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Elastic Endgame] |8.6.0 |213 -|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [Investigation Guide] |7.7.0 |102 <> +|<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Use Case: Vulnerability] |8.3.0 |105 -|<> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.0.0 |101 <> +|<> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Domain: Endpoint], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Lateral Movement], [Tactic: Initial Access] |8.3.0 |104 -|<> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [Investigation Guide] [Elastic Endgame] |7.11.0 |102 <> +|<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.7.0 |207 -|<