-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
5f24c10
commit ea1f8d4
Showing
1,170 changed files
with
89,354 additions
and
48,620 deletions.
There are no files selected for viewing
136 changes: 136 additions & 0 deletions
136
...8-14-1/prebuilt-rule-8-14-1-access-to-keychain-credentials-directories.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,136 @@ | ||
| [[prebuilt-rule-8-14-1-access-to-keychain-credentials-directories]] | ||
| === Access to Keychain Credentials Directories | ||
|
|
||
| Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. | ||
|
|
||
| *Rule type*: eql | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * logs-endpoint.events.* | ||
|
|
||
| *Severity*: high | ||
|
|
||
| *Risk score*: 73 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://objective-see.com/blog/blog_0x25.html | ||
| * https://securelist.com/calisto-trojan-for-macos/86543/ | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: macOS | ||
| * Use Case: Threat Detection | ||
| * Tactic: Credential Access | ||
| * Data Source: Elastic Defend | ||
|
|
||
| *Version*: 207 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| This rule requires data coming in from Elastic Defend. | ||
|
|
||
|
|
||
| *Elastic Defend Integration Setup* | ||
|
|
||
| Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. | ||
|
|
||
|
|
||
| *Prerequisite Requirements:* | ||
|
|
||
| - Fleet is required for Elastic Defend. | ||
| - To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. | ||
|
|
||
|
|
||
| *The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* | ||
|
|
||
| - Go to the Kibana home page and click "Add integrations". | ||
| - In the query bar, search for "Elastic Defend" and select the integration to see more details about it. | ||
| - Click "Add Elastic Defend". | ||
| - Configure the integration name and optionally add a description. | ||
| - Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". | ||
| - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. | ||
| - We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" | ||
| - Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. | ||
| For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. | ||
| - Click "Save and Continue". | ||
| - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. | ||
| For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| process where host.os.type == "macos" and event.type in ("start", "process_started") and | ||
| process.args : | ||
| ( | ||
| "/Users/*/Library/Keychains/*", | ||
| "/Library/Keychains/*", | ||
| "/Network/Library/Keychains/*", | ||
| "System.keychain", | ||
| "login.keychain-db", | ||
| "login.keychain" | ||
| ) and | ||
| not process.args : ("find-certificate", | ||
| "add-trusted-cert", | ||
| "set-keychain-settings", | ||
| "delete-certificate", | ||
| "/Users/*/Library/Keychains/openvpn.keychain-db", | ||
| "show-keychain-info", | ||
| "lock-keychain", | ||
| "set-key-partition-list", | ||
| "import", | ||
| "find-identity") and | ||
| not process.parent.executable : | ||
| ( | ||
| "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect", | ||
| "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise", | ||
| "/opt/jc/bin/jumpcloud-agent" | ||
| ) and | ||
| not process.executable : ("/opt/jc/bin/jumpcloud-agent", "/usr/bin/basename") and | ||
| not process.Ext.effective_parent.executable : ("/opt/rapid7/ir_agent/ir_agent", | ||
| "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint", | ||
| "/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent", | ||
| "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", | ||
| "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService", | ||
| "/usr/local/jamf/bin/jamf", | ||
| "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon") | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Credential Access | ||
| ** ID: TA0006 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0006/ | ||
| * Technique: | ||
| ** Name: Credentials from Password Stores | ||
| ** ID: T1555 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1555/ | ||
| * Sub-technique: | ||
| ** Name: Keychain | ||
| ** ID: T1555.001 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1555/001/ |
59 changes: 59 additions & 0 deletions
59
...-14-1/prebuilt-rule-8-14-1-adversary-behavior-detected-elastic-endgame.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| [[prebuilt-rule-8-14-1-adversary-behavior-detected-elastic-endgame]] | ||
| === Adversary Behavior - Detected - Elastic Endgame | ||
|
|
||
| Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. | ||
|
|
||
| *Rule type*: query | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * endgame-* | ||
|
|
||
| *Severity*: medium | ||
|
|
||
| *Risk score*: 47 | ||
|
|
||
| *Runs every*: 10m | ||
|
|
||
| *Searches indices from*: now-15m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 10000 | ||
|
|
||
| *References*: None | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Data Source: Elastic Endgame | ||
|
|
||
| *Version*: 104 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. | ||
|
|
||
| **IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. | ||
|
|
||
| To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. | ||
|
|
||
| **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. | ||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) | ||
| ---------------------------------- |
73 changes: 73 additions & 0 deletions
73
...14-1-alternate-data-stream-creation-execution-at-volume-root-directory.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| [[prebuilt-rule-8-14-1-alternate-data-stream-creation-execution-at-volume-root-directory]] | ||
| === Alternate Data Stream Creation/Execution at Volume Root Directory | ||
|
|
||
| Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities. | ||
|
|
||
| *Rule type*: eql | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * winlogbeat-* | ||
| * logs-endpoint.events.process-* | ||
| * logs-endpoint.events.file-* | ||
| * logs-windows.sysmon_operational-* | ||
|
|
||
| *Severity*: medium | ||
|
|
||
| *Risk score*: 47 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/ | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: Windows | ||
| * Use Case: Threat Detection | ||
| * Tactic: Defense Evasion | ||
| * Data Source: Elastic Defend | ||
| * Data Source: Sysmon | ||
|
|
||
| *Version*: 1 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| any where host.os.type == "windows" and event.category in ("file", "process") and | ||
| ( | ||
| (event.type == "creation" and file.path regex~ """[A-Z]:\\:.+""") or | ||
| (event.type == "start" and process.executable regex~ """[A-Z]:\\:.+""") | ||
| ) | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Defense Evasion | ||
| ** ID: TA0005 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0005/ | ||
| * Technique: | ||
| ** Name: Hide Artifacts | ||
| ** ID: T1564 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1564/ | ||
| * Sub-technique: | ||
| ** Name: NTFS File Attributes | ||
| ** ID: T1564.004 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1564/004/ |
111 changes: 111 additions & 0 deletions
111
...lt-rule-8-14-1-apple-scripting-execution-with-administrator-privileges.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| [[prebuilt-rule-8-14-1-apple-scripting-execution-with-administrator-privileges]] | ||
| === Apple Scripting Execution with Administrator Privileges | ||
|
|
||
| Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. | ||
|
|
||
| *Rule type*: eql | ||
|
|
||
| *Rule indices*: | ||
|
|
||
| * logs-endpoint.events.* | ||
|
|
||
| *Severity*: medium | ||
|
|
||
| *Risk score*: 47 | ||
|
|
||
| *Runs every*: 5m | ||
|
|
||
| *Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>) | ||
|
|
||
| *Maximum alerts per execution*: 100 | ||
|
|
||
| *References*: | ||
|
|
||
| * https://discussions.apple.com/thread/2266150 | ||
|
|
||
| *Tags*: | ||
|
|
||
| * Domain: Endpoint | ||
| * OS: macOS | ||
| * Use Case: Threat Detection | ||
| * Tactic: Execution | ||
| * Tactic: Privilege Escalation | ||
| * Data Source: Elastic Defend | ||
|
|
||
| *Version*: 207 | ||
|
|
||
| *Rule authors*: | ||
|
|
||
| * Elastic | ||
|
|
||
| *Rule license*: Elastic License v2 | ||
|
|
||
|
|
||
| ==== Setup | ||
|
|
||
|
|
||
|
|
||
| *Setup* | ||
|
|
||
|
|
||
| This rule requires data coming in from Elastic Defend. | ||
|
|
||
|
|
||
| *Elastic Defend Integration Setup* | ||
|
|
||
| Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. | ||
|
|
||
|
|
||
| *Prerequisite Requirements:* | ||
|
|
||
| - Fleet is required for Elastic Defend. | ||
| - To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. | ||
|
|
||
|
|
||
| *The following steps should be executed in order to add the Elastic Defend integration on a macOS System:* | ||
|
|
||
| - Go to the Kibana home page and click "Add integrations". | ||
| - In the query bar, search for "Elastic Defend" and select the integration to see more details about it. | ||
| - Click "Add Elastic Defend". | ||
| - Configure the integration name and optionally add a description. | ||
| - Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints". | ||
| - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. | ||
| - We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" | ||
| - Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. | ||
| For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/current/agent-policy.html[helper guide]. | ||
| - Click "Save and Continue". | ||
| - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. | ||
| For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. | ||
|
|
||
|
|
||
| ==== Rule query | ||
|
|
||
|
|
||
| [source, js] | ||
| ---------------------------------- | ||
| process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and | ||
| process.command_line : "osascript*with administrator privileges" and | ||
| not process.parent.name : "Electron" and | ||
| not process.Ext.effective_parent.executable : ("/Applications/Visual Studio Code.app/Contents/MacOS/Electron", | ||
| "/Applications/OpenVPN Connect/Uninstall OpenVPN Connect.app/Contents/MacOS/uninstaller") | ||
| ---------------------------------- | ||
|
|
||
| *Framework*: MITRE ATT&CK^TM^ | ||
|
|
||
| * Tactic: | ||
| ** Name: Privilege Escalation | ||
| ** ID: TA0004 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0004/ | ||
| * Technique: | ||
| ** Name: Valid Accounts | ||
| ** ID: T1078 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1078/ | ||
| * Tactic: | ||
| ** Name: Execution | ||
| ** ID: TA0002 | ||
| ** Reference URL: https://attack.mitre.org/tactics/TA0002/ | ||
| * Technique: | ||
| ** Name: Command and Scripting Interpreter | ||
| ** ID: T1059 | ||
| ** Reference URL: https://attack.mitre.org/techniques/T1059/ |
Oops, something went wrong.