From efb79853d32916aefdfb1324759fcdbb3e311bca Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Fri, 14 Jul 2023 13:08:09 +0000 Subject: [PATCH] Update latest docs --- ...-6-9-a-scheduled-task-was-updated.asciidoc | 84 ++++++++ ...l-process-id-or-lock-file-created.asciidoc | 119 +++++++++++ ...attempt-to-disable-syslog-service.asciidoc | 69 +++++++ ...-rule-8-6-9-chkconfig-service-add.asciidoc | 71 +++++++ ...-elastic-agent-service-terminated.asciidoc | 91 +++++++++ ...-first-time-seen-removable-device.asciidoc | 78 ++++++++ ...gh-number-of-process-terminations.asciidoc | 101 ++++++++++ ...execution-via-powershell-remoting.asciidoc | 70 +++++++ ...-execution-via-winrm-remote-shell.asciidoc | 68 +++++++ ...ctive-terminal-spawned-via-python.asciidoc | 70 +++++++ ...load-or-unload-via-kexec-detected.asciidoc | 89 +++++++++ ...shell-breakout-via-linux-binary-s.asciidoc | 184 +++++++++++++++++ ...amic-linker-preload-shared-object.asciidoc | 68 +++++++ ...ltiple-vault-web-credentials-read.asciidoc | 91 +++++++++ ...ial-code-execution-via-postgresql.asciidoc | 65 ++++++ ...al-linux-ssh-brute-force-detected.asciidoc | 118 +++++++++++ ...al-linux-ssh-brute-force-detected.asciidoc | 114 +++++++++++ ...ransomware-note-creation-detected.asciidoc | 75 +++++++ ...9-potential-network-scan-detected.asciidoc | 72 +++++++ ...-potential-network-sweep-detected.asciidoc | 72 +++++++ ...a-ld-preload-environment-variable.asciidoc | 112 +++++++++++ ...-potential-reverse-shell-via-java.asciidoc | 77 ++++++++ ...verse-shell-via-suspicious-binary.asciidoc | 89 +++++++++ ...hell-via-suspicious-child-process.asciidoc | 85 ++++++++ ...ell-via-suspicious-parent-process.asciidoc | 85 ++++++++ ...ule-8-6-9-potential-reverse-shell.asciidoc | 77 ++++++++ ...e-read-via-command-line-utilities.asciidoc | 78 ++++++++ ...ce-detected-on-privileged-account.asciidoc | 119 +++++++++++ ...9-potential-ssh-password-guessing.asciidoc | 109 ++++++++++ ...x-ftp-brute-force-attack-detected.asciidoc | 94 +++++++++ ...x-rdp-brute-force-attack-detected.asciidoc | 92 +++++++++ ...l-syn-based-network-scan-detected.asciidoc | 72 +++++++ ...le-8-6-9-rdp-enabled-via-registry.asciidoc | 118 +++++++++++ ...remotely-started-services-via-rpc.asciidoc | 159 +++++++++++++++ ...erse-shell-created-via-named-pipe.asciidoc | 74 +++++++ ...us-antimalware-scan-interface-dll.asciidoc | 133 +++++++++++++ ...racted-or-decompressed-via-funzip.asciidoc | 82 ++++++++ ...ta-encryption-via-openssl-utility.asciidoc | 67 +++++++ ...rsistence-or-privilege-escalation.asciidoc | 154 +++++++++++++++ ...us-file-changes-activity-detected.asciidoc | 70 +++++++ ...e-creation-in-etc-for-persistence.asciidoc | 113 +++++++++++ ...-9-suspicious-modprobe-file-event.asciidoc | 87 ++++++++ ...etwork-connection-attempt-by-root.asciidoc | 93 +++++++++ ...cious-powershell-engine-imageload.asciidoc | 141 +++++++++++++ ...oc-pseudo-file-system-enumeration.asciidoc | 89 +++++++++ ...-6-9-suspicious-sysctl-file-event.asciidoc | 87 ++++++++ ...-by-previously-unknown-executable.asciidoc | 76 +++++++ ...le-creation-alternate-data-stream.asciidoc | 186 ++++++++++++++++++ ...6-9-wmi-incoming-lateral-movement.asciidoc | 81 ++++++++ .../prebuilt-rules-8-6-9-appendix.asciidoc | 55 ++++++ .../prebuilt-rules-8-6-9-summary.asciidoc | 110 +++++++++++ ...ebuilt-rules-downloadable-updates.asciidoc | 4 + docs/index.asciidoc | 2 + 53 files changed, 4839 insertions(+) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-a-scheduled-task-was-updated.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-abnormal-process-id-or-lock-file-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-attempt-to-disable-syslog-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-chkconfig-service-add.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-elastic-agent-service-terminated.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-first-time-seen-removable-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-high-number-of-process-terminations.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-incoming-execution-via-powershell-remoting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-incoming-execution-via-winrm-remote-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-interactive-terminal-spawned-via-python.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-kernel-load-or-unload-via-kexec-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-modification-of-dynamic-linker-preload-shared-object.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-multiple-vault-web-credentials-read.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-code-execution-via-postgresql.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-external-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-internal-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-linux-ransomware-note-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-network-sweep-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-process-injection-via-ld-preload-environment-variable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-java.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-shadow-file-read-via-command-line-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-ssh-brute-force-detected-on-privileged-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-ssh-password-guessing.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-syn-based-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-rdp-enabled-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-remotely-started-services-via-rpc.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-reverse-shell-created-via-named-pipe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-antimalware-scan-interface-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-data-encryption-via-openssl-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-file-changes-activity-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-file-creation-in-etc-for-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-modprobe-file-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-network-connection-attempt-by-root.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-powershell-engine-imageload.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-proc-pseudo-file-system-enumeration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-sysctl-file-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-unusual-file-creation-alternate-data-stream.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-wmi-incoming-lateral-movement.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-summary.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-a-scheduled-task-was-updated.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-a-scheduled-task-was-updated.asciidoc new file mode 100644 index 0000000000..fdeaca238a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-a-scheduled-task-was-updated.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-6-9-a-scheduled-task-was-updated]] +=== A scheduled task was updated + +Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "scheduled-task-updated" and + + /* excluding tasks created by the computer account */ + not user.name : "*$" and + not winlog.event_data.TaskName : "*Microsoft*" and + not winlog.event_data.TaskName : + ("\\User_Feed_Synchronization-*", + "\\OneDrive Reporting Task-S-1-5-21*", + "\\OneDrive Reporting Task-S-1-12-1-*", + "\\Hewlett-Packard\\HP Web Products Detection", + "\\Hewlett-Packard\\HPDeviceCheck", + "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant", + "\\IpamDnsProvisioning", + "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantAllUsersRun", + "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun", + "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun", + "\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v*", + "\\Microsoft\\VisualStudio\\Updates\\BackgroundDownload") and + not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-abnormal-process-id-or-lock-file-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-abnormal-process-id-or-lock-file-created.asciidoc new file mode 100644 index 0000000000..fa33ad5fd9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-abnormal-process-id-or-lock-file-created.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-6-9-abnormal-process-id-or-lock-file-created]] +=== Abnormal Process ID or Lock File Created + +Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Resources: Investigation Guide +* Data Source: Elastic Endgame + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Abnormal Process ID or Lock File Created + +Linux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value. + +Linux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented. + +This rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files. + +#### Possible investigation steps + +- Retrieve the file and determine if it is malicious: + - Check the contents of the PID files. They should only contain integer strings. + - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files. + - Check the size of the subject file. Legitimate PID files should be under 10 bytes. + - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload. + - Analysts can use tools like `ent` to measure entropy. + - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation. +- Trace the file's creation to ensure it came from a legitimate or authorized process. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious. +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Block the identified indicators of compromise (IoCs). +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and +user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not +file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or +"acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or +"docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or +"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-attempt-to-disable-syslog-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-attempt-to-disable-syslog-service.asciidoc new file mode 100644 index 0000000000..f0ecad7fb1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-attempt-to-disable-syslog-service.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-6-9-attempt-to-disable-syslog-service]] +=== Attempt to Disable Syslog Service + +Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and + ( (process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) + ) and process.args in ("syslog", "rsyslog", "syslog-ng") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-chkconfig-service-add.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-chkconfig-service-add.asciidoc new file mode 100644 index 0000000000..f013a731e9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-chkconfig-service-add.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-6-9-chkconfig-service-add]] +=== Chkconfig Service Add + +Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Lightning Framework +* Data Source: Elastic Endgame + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or + (process.args : "*chkconfig" and process.args : "--add") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-elastic-agent-service-terminated.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-elastic-agent-service-terminated.asciidoc new file mode 100644 index 0000000000..0ac9bd66db --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-elastic-agent-service-terminated.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-6-9-elastic-agent-service-terminated]] +=== Elastic Agent Service Terminated + +Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion + +*Version*: 103 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where +/* net, sc or wmic stopping or deleting Elastic Agent on Windows */ +(event.type == "start" and + process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and + process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and + process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) +or +/* service or systemctl used to stop Elastic Agent on Linux */ +(event.type == "end" and + (process.name : ("systemctl", "service") and + process.args : "elastic-agent" and + process.args : "stop") + or + /* pkill , killall used to stop Elastic Agent on Linux */ + ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent") + or + /* Unload Elastic Agent extension on MacOS */ + (process.name : "kextunload" and + process.args : "com.apple.iokit.EndpointSecurity" and + event.action : "end")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-first-time-seen-removable-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-first-time-seen-removable-device.asciidoc new file mode 100644 index 0000000000..e507969d50 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-first-time-seen-removable-device.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-6-9-first-time-seen-removable-device]] +=== First Time Seen Removable Device + +Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html +* https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Exfiltration +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:"registry" and host.os.type:"windows" and registry.value:"FriendlyName" and registry.path:*USBSTOR* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Replication Through Removable Media +** ID: T1091 +** Reference URL: https://attack.mitre.org/techniques/T1091/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Physical Medium +** ID: T1052 +** Reference URL: https://attack.mitre.org/techniques/T1052/ +* Sub-technique: +** Name: Exfiltration over USB +** ID: T1052.001 +** Reference URL: https://attack.mitre.org/techniques/T1052/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-high-number-of-process-terminations.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-high-number-of-process-terminations.asciidoc new file mode 100644 index 0000000000..e4594f61cb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-high-number-of-process-terminations.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-6-9-high-number-of-process-terminations]] +=== High Number of Process Terminations + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating High Number of Process Terminations + +Attackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc. + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +#### Possible investigation steps + +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user. +- Examine the contents of session leading to the process termination(s) via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities. +- Examine the process killed during the malicious execution + - Identify imment threat to the system from the process killed. + - Take necessary incident response actions to respawn necessary process. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system or restore it to the operational state. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-incoming-execution-via-powershell-remoting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-incoming-execution-via-powershell-remoting.asciidoc new file mode 100644 index 0000000000..d24df1e7cc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-incoming-execution-via-powershell-remoting.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-6-9-incoming-execution-via-powershell-remoting]] +=== Incoming Execution via PowerShell Remoting + +Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 30s + [network where host.os.type == "windows" and network.direction : ("incoming", "ingress") and destination.port in (5985, 5986) and + network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Windows Remote Management +** ID: T1021.006 +** Reference URL: https://attack.mitre.org/techniques/T1021/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-incoming-execution-via-winrm-remote-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-incoming-execution-via-winrm-remote-shell.asciidoc new file mode 100644 index 0000000000..14f999920c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-incoming-execution-via-winrm-remote-shell.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-6-9-incoming-execution-via-winrm-remote-shell]] +=== Incoming Execution via WinRM Remote Shell + +Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=30s + [network where host.os.type == "windows" and process.pid == 4 and network.direction : ("incoming", "ingress") and + destination.port in (5985, 5986) and network.protocol == "http" and source.ip != "127.0.0.1" and source.ip != "::1"] + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "winrshost.exe" and not process.executable : "?:\\Windows\\System32\\conhost.exe"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Windows Remote Management +** ID: T1021.006 +** Reference URL: https://attack.mitre.org/techniques/T1021/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-interactive-terminal-spawned-via-python.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-interactive-terminal-spawned-via-python.asciidoc new file mode 100644 index 0000000000..11c11ae305 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-interactive-terminal-spawned-via-python.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-6-9-interactive-terminal-spawned-via-python]] +=== Interactive Terminal Spawned via Python + +Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.parent.name : "python*" and process.name : "*sh" and process.parent.args_count >= 3 and + process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or + (process.parent.name : "python*" and process.name : "*sh" and process.args : "*sh" and process.args_count == 1 + and process.parent.args_count == 1) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Python +** ID: T1059.006 +** Reference URL: https://attack.mitre.org/techniques/T1059/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-kernel-load-or-unload-via-kexec-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-kernel-load-or-unload-via-kexec-detected.asciidoc new file mode 100644 index 0000000000..994f576acf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-kernel-load-or-unload-via-kexec-detected.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-6-9-kernel-load-or-unload-via-kexec-detected]] +=== Kernel Load or Unload via Kexec Detected + +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.crowdstrike.com/blog/venom-vulnerability-details/ +* https://www.makeuseof.com/what-is-venom-vulnerability/ +* https://madaidans-insecurities.github.io/guides/linux-hardening.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Defense Evasion + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and +process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify System Image +** ID: T1601 +** Reference URL: https://attack.mitre.org/techniques/T1601/ +* Sub-technique: +** Name: Patch System Image +** ID: T1601.001 +** Reference URL: https://attack.mitre.org/techniques/T1601/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc new file mode 100644 index 0000000000..b0fa32bcaf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc @@ -0,0 +1,184 @@ +[[prebuilt-rule-8-6-9-linux-restricted-shell-breakout-via-linux-binary-s]] +=== Linux Restricted Shell Breakout via Linux Binary(s) + +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://gtfobins.github.io/gtfobins/apt/ +* https://gtfobins.github.io/gtfobins/apt-get/ +* https://gtfobins.github.io/gtfobins/nawk/ +* https://gtfobins.github.io/gtfobins/mawk/ +* https://gtfobins.github.io/gtfobins/awk/ +* https://gtfobins.github.io/gtfobins/gawk/ +* https://gtfobins.github.io/gtfobins/busybox/ +* https://gtfobins.github.io/gtfobins/c89/ +* https://gtfobins.github.io/gtfobins/c99/ +* https://gtfobins.github.io/gtfobins/cpulimit/ +* https://gtfobins.github.io/gtfobins/crash/ +* https://gtfobins.github.io/gtfobins/env/ +* https://gtfobins.github.io/gtfobins/expect/ +* https://gtfobins.github.io/gtfobins/find/ +* https://gtfobins.github.io/gtfobins/flock/ +* https://gtfobins.github.io/gtfobins/gcc/ +* https://gtfobins.github.io/gtfobins/mysql/ +* https://gtfobins.github.io/gtfobins/nice/ +* https://gtfobins.github.io/gtfobins/ssh/ +* https://gtfobins.github.io/gtfobins/vi/ +* https://gtfobins.github.io/gtfobins/vim/ +* https://gtfobins.github.io/gtfobins/capsh/ +* https://gtfobins.github.io/gtfobins/byebug/ +* https://gtfobins.github.io/gtfobins/git/ +* https://gtfobins.github.io/gtfobins/ftp/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Shell Evasion via Linux Utilities +Detection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or +environments by spawning an interactive system shell. +Here are some possible avenues of investigation: +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user +- Examine the contents of session leading to the abuse via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities +- Examine the execution of commands in the spawned shell. + - Identify imment threat to the system from the executed commands + - Take necessary incident response actions to contain any malicious behviour caused via this execution. + +### Related rules + +- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences. +- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment + +### Response and remediation + +Initiate the incident response process based on the outcome of the triage. + +- If the triage releaved suspicious netwrok activity from the malicious spawned shell, + - Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware execution via the maliciously spawned shell, + - Search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- If the triage revelaed defence evasion for imparing defenses + - Isolate the involved host to prevent further post-compromise behavior. + - Identified the disabled security guard components on the host and take necessary steps in renebaling the same. + - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same. +- If the triage revelaed addition of persistence mechanism exploit like auto start scripts + - Isolate further login to the systems that can initae auto start scripts. + - Identify the auto start scripts and disable and remove the same from the systems +- If the triage revealed data crawling or data export via remote copy + - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling + - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials. + - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +( + /* launching shell from capsh */ + (process.name == "capsh" and process.args == "--") or + + /* launching shells from unusual parents or parent+arg combos */ + (process.name : "*sh" and ( + (process.parent.name : ("byebug", "ftp", "strace", "zip", "*awk", "git", "tar") and + ( + process.parent.args : "BEGIN {system(*)}" or + (process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or + ( + (process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or + (process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh")) + ) + ) + ) or + + /* shells specified in parent args */ + /* nice rule is broken in 8.2 */ + (process.parent.args : "*sh" and + ( + (process.parent.name == "nice") or + (process.parent.name == "cpulimit" and process.parent.args == "-f") or + (process.parent.name == "find" and process.parent.args == "-exec" and process.parent.args == ";" and process.parent.args == "-p") or + (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/") + ) + ) + )) or + + /* shells specified in args */ + (process.args : "*sh" and ( + (process.parent.name == "crash" and process.parent.args == "-h") or + (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog") + /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */ + + )) or + (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox") or + (process.name == "env" and process.args_count == 2 and process.args : "*sh") or + (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or + (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or + (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args : "spawn *sh;interact") or + (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args : "\\!*sh") or + (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args : "ProxyCommand=;*sh 0<&2 1>&2") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-modification-of-dynamic-linker-preload-shared-object.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-modification-of-dynamic-linker-preload-shared-object.asciidoc new file mode 100644 index 0000000000..7ad2a707b3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-modification-of-dynamic-linker-preload-shared-object.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-6-9-modification-of-dynamic-linker-preload-shared-object]] +=== Modification of Dynamic Linker Preload Shared Object + +Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and +event.action:(updated or renamed or rename) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-multiple-vault-web-credentials-read.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-multiple-vault-web-credentials-read.asciidoc new file mode 100644 index 0000000000..702ae826e6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-multiple-vault-web-credentials-read.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-6-9-multiple-vault-web-credentials-read]] +=== Multiple Vault Web Credentials Read + +Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382 +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name, winlog.process.pid with maxspan=1s + + /* 2 consecutive vault reads from same pid for web creds */ + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Windows Credential Manager +** ID: T1555.004 +** Reference URL: https://attack.mitre.org/techniques/T1555/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-code-execution-via-postgresql.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-code-execution-via-postgresql.asciidoc new file mode 100644 index 0000000000..b1cbcc25ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-code-execution-via-postgresql.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-6-9-potential-code-execution-via-postgresql]] +=== Potential Code Execution via Postgresql + +This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and +event.type == "start" and user.name == "postgres" and (process.parent.args : "*sh" or process.args : "*sh") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-external-linux-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-external-linux-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..e8138bd99b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-external-linux-ssh-brute-force-detected.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-6-9-potential-external-linux-ssh-brute-force-detected]] +=== Potential External Linux SSH Brute Force Detected + +Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential External Linux SSH Brute Force Detected + +The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts. + +This rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. + +In case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling "Potential Internal Linux SSH Brute Force Detected" to detect internal brute force attempts. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Related Rules + +- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb +- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=5s + [ authentication where host.os.type == "linux" and + event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-internal-linux-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-internal-linux-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..ba6c0cee2d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-internal-linux-ssh-brute-force-detected.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-6-9-potential-internal-linux-ssh-brute-force-detected]] +=== Potential Internal Linux SSH Brute Force Detected + +Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Internal Linux SSH Brute Force Detected + +The rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Related Rules + +- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab +- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=5s + [ authentication where host.os.type == "linux" and + event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-linux-ransomware-note-creation-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-linux-ransomware-note-creation-detected.asciidoc new file mode 100644 index 0000000000..f5e3821858 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-linux-ransomware-note-creation-detected.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-6-9-potential-linux-ransomware-note-creation-detected]] +=== Potential Linux Ransomware Note Creation Detected + +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [ file where host.os.type == "linux" and event.type == "change" and + event.action == "rename" and file.extension != "" and + file.path : ( + "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*" + ) and not + file.extension : ( + "xml", "json", "conf", "dat", "gz", "info", "mod", "final", + "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" + ) and not + process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd" + ) ] with runs=100 + [ file where host.os.type == "linux" and event.action == "creation" and file.extension == "txt" and + file.name : ( + "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", + "*read*", "*instruction*", "*how_to*", "*ransom*" + ) ] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-network-scan-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-network-scan-detected.asciidoc new file mode 100644 index 0000000000..7a7417307e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-network-scan-detected.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-6-9-potential-network-scan-detected]] +=== Potential Network Scan Detected + +This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-network_traffic.* +* packetbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port :* and event.action: ("network_flow" or "connection_accepted" or "connection_attempted" ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-network-sweep-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-network-sweep-detected.asciidoc new file mode 100644 index 0000000000..53f4ba253a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-network-sweep-detected.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-6-9-potential-network-sweep-detected]] +=== Potential Network Sweep Detected + +This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-network_traffic.* +* packetbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-process-injection-via-ld-preload-environment-variable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-process-injection-via-ld-preload-environment-variable.asciidoc new file mode 100644 index 0000000000..d62b6f177f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-process-injection-via-ld-preload-environment-variable.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-6-9-potential-process-injection-via-ld-preload-environment-variable]] +=== Potential Process Injection via LD_PRELOAD Environment Variable + +This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common and will potentially indicate malicious or suspicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.getambassador.io/resources/code-injection-on-linux-and-macos + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup +By default, the `Elastic Defend` integration does not collect environment variable logging. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the `Elastic Defend` integration. +``` +Kibana --> +Fleet --> +Agent policies --> +Agent policy for which the option should be enabled --> +Name of the Elastic Defend integration --> +Show advanced settings --> +linux.advanced.capture_env_vars +``` +`linux.advanced.capture_env_vars` should be set to `LD_PRELOAD,LD_LIBRARY_PATH`. +After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and + event.action == "exec" and + process.env_vars : ("LD_PRELOAD=?*", "LD_LIBRARY_PATH=?*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-java.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-java.asciidoc new file mode 100644 index 0000000000..5a77a82047 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-java.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-6-9-potential-reverse-shell-via-java]] +=== Potential Reverse Shell via Java + +This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s +[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") ] by process.entity_id +[ process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-binary.asciidoc new file mode 100644 index 0000000000..edf524fbc8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-binary.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-binary]] +=== Potential Reverse Shell via Suspicious Binary + +This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not + process.name : ("curl", "wget", "ping", "apt", "dpkg", "yum", "rpm", "dnf", "dockerd") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) ] +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-child-process.asciidoc new file mode 100644 index 0000000000..2a2c1cb30a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-child-process.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-child-process]] +=== Potential Reverse Shell via Suspicious Child Process + +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + (process.name : "python*" and process.args : "-c") or + (process.name : "php*" and process.args : "-r") or + (process.name : "perl" and process.args : "-e") or + (process.name : "ruby" and process.args : ("-e", "-rsocket")) or + (process.name : "lua*" and process.args : "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-parent-process.asciidoc new file mode 100644 index 0000000000..bdd7771431 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-parent-process.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-parent-process]] +=== Potential Reverse Shell via Suspicious Parent Process + +This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( + (process.name : "python*" and process.args : "-c") or + (process.name : "php*" and process.args : "-r") or + (process.name : "perl" and process.args : "-e") or + (process.name : "ruby" and process.args : ("-e", "-rsocket")) or + (process.name : "lua*" and process.args : "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell.asciidoc new file mode 100644 index 0000000000..8c5fd5621d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-reverse-shell.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-6-9-potential-reverse-shell]] +=== Potential Reverse Shell + +This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.entity_id +[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-shadow-file-read-via-command-line-utilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-shadow-file-read-via-command-line-utilities.asciidoc new file mode 100644 index 0000000000..7326e976ee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-shadow-file-read-via-command-line-utilities.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-6-9-potential-shadow-file-read-via-command-line-utilities]] +=== Potential Shadow File Read via Command Line Utilities + +Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Credential Access +* Data Source: Elastic Endgame + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and +(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not +(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not +(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-ssh-brute-force-detected-on-privileged-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-ssh-brute-force-detected-on-privileged-account.asciidoc new file mode 100644 index 0000000000..54df8cfa33 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-ssh-brute-force-detected-on-privileged-account.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-6-9-potential-ssh-brute-force-detected-on-privileged-account]] +=== Potential SSH Brute Force Detected on Privileged Account + +Identifies multiple consecutive login failures targeting a root user account from the same source address and within a short time interval. Adversaries will often brute force login attempts on privileged accounts with a common or known password, in an attempt to gain privileged access to systems. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-system.auth-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential SSH Brute Force Attack on Privileged Account + +The rule identifies consecutive SSH login failures targeting a privileged (root) account from the same source IP address to the same target host indicating brute force login attempts. + +#### Possible investigation steps + +- Investigate the login failure on privileged account(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip with maxspan=10s + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and + event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and + source.ip != "::" and user.name : ("*root*" , "*admin*")] with runs=3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-ssh-password-guessing.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-ssh-password-guessing.asciidoc new file mode 100644 index 0000000000..f08a11af8e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-ssh-password-guessing.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-6-9-potential-ssh-password-guessing]] +=== Potential SSH Password Guessing + +Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-system.auth-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential SSH Password Guessing Attack + +The rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s). +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=3s + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and + event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 + + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and + event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc new file mode 100644 index 0000000000..b84dcdc661 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-6-9-potential-successful-linux-ftp-brute-force-attack-detected]] +=== Potential Successful Linux FTP Brute Force Attack Detected + +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +``` +For this detection rule no additional audit rules are required to be added to the integration. +``` +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, auditd.data.addr, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "failure" and + auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10 + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "success" and + auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc new file mode 100644 index 0000000000..474caac331 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-8-6-9-potential-successful-linux-rdp-brute-force-attack-detected]] +=== Potential Successful Linux RDP Brute Force Attack Detected + +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +``` +For this detection rule no additional audit rules are required to be added to the integration. +``` +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "failure"] with runs=10 + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-syn-based-network-scan-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-syn-based-network-scan-detected.asciidoc new file mode 100644 index 0000000000..85e1d6e3f4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-potential-syn-based-network-scan-detected.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-6-9-potential-syn-based-network-scan-detected]] +=== Potential SYN-Based Network Scan Detected + +This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.network-* +* logs-network_traffic.* +* packetbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Network +* Tactic: Discovery +* Tactic: Reconnaissance +* Use Case: Network Security Monitoring + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +destination.port :* and network.packets <= 2 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ +* Tactic: +** Name: Reconnaissance +** ID: TA0043 +** Reference URL: https://attack.mitre.org/tactics/TA0043/ +* Technique: +** Name: Active Scanning +** ID: T1595 +** Reference URL: https://attack.mitre.org/techniques/T1595/ +* Sub-technique: +** Name: Scanning IP Blocks +** ID: T1595.001 +** Reference URL: https://attack.mitre.org/techniques/T1595/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-rdp-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-rdp-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..d62b856d96 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-rdp-enabled-via-registry.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-6-9-rdp-enabled-via-registry]] +=== RDP Enabled via Registry + +Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating RDP Enabled via Registry + +Microsoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389. + +Attackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts. + +This rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense to enable RDP to this host, given its role in the environment. +- Check if the host is directly exposed to the internet. +- Check whether privileged accounts accessed the host shortly after the modification. +- Review network events within a short timespan of this alert for incoming RDP connection attempts. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If RDP is needed, make sure to secure it using firewall rules: + - Allowlist RDP traffic to specific trusted hosts. + - Restrict RDP logins to authorized non-administrator accounts, where possible. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + event.type in ("creation", "change") and + registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and + registry.data.strings : ("0", "0x00000000") and + not process.executable : ("?:\\Windows\\System32\\SystemPropertiesRemote.exe", + "?:\\Windows\\System32\\SystemPropertiesComputerName.exe", + "?:\\Windows\\System32\\SystemPropertiesAdvanced.exe", + "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", + "?:\\Windows\\WinSxS\\*\\TiWorker.exe", + "?:\\Windows\\system32\\svchost.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-remotely-started-services-via-rpc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-remotely-started-services-via-rpc.asciidoc new file mode 100644 index 0000000000..df1a466ce5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-remotely-started-services-via-rpc.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-6-9-remotely-started-services-via-rpc]] +=== Remotely Started Services via RPC + +Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remotely Started Services via RPC + +The Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated. + +This rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system. +- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1s + [network where host.os.type == "windows" and process.name : "services.exe" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and + source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" + ] by host.id, process.entity_id + [process where host.os.type == "windows" and + event.type == "start" and process.parent.name : "services.exe" and + not (process.executable : "?:\\Windows\\System32\\svchost.exe" and process.args : "tiledatamodelsvc") and + not (process.executable : "?:\\Windows\\System32\\msiexec.exe" and process.args : "/V") and + not process.executable : + ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe", + "?:\\Windows\\System32\\VSSVC.exe", + "?:\\Windows\\servicing\\TrustedInstaller.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Windows\\PSEXESVC.EXE", + "?:\\Windows\\System32\\sppsvc.exe", + "?:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "?:\\WINDOWS\\RemoteAuditService.exe", + "?:\\Windows\\VeeamVssSupport\\VeeamGuestHelper.exe", + "?:\\Windows\\VeeamLogShipper\\VeeamLogShipper.exe", + "?:\\Windows\\CAInvokerService.exe", + "?:\\Windows\\System32\\upfc.exe", + "?:\\Windows\\AdminArsenal\\PDQ*.exe", + "?:\\Windows\\System32\\vds.exe", + "?:\\Windows\\Veeam\\Backup\\VeeamDeploymentSvc.exe", + "?:\\Windows\\ProPatches\\Scheduler\\STSchedEx.exe", + "?:\\Windows\\System32\\certsrv.exe", + "?:\\Windows\\eset-remote-install-service.exe", + "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + "?:\\Pella Corporation\\OSCToGPAutoService\\OSCToGPAutoSvc.exe", + "?:\\Pella Corporation\\Pella Order Management\\GPAutoSvc.exe", + "?:\\Windows\\SysWOW64\\NwxExeSvc\\NwxExeSvc.exe", + "?:\\Windows\\System32\\taskhostex.exe") + ] by host.id, process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-reverse-shell-created-via-named-pipe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-reverse-shell-created-via-named-pipe.asciidoc new file mode 100644 index 0000000000..9c02d975d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-reverse-shell-created-via-named-pipe.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-6-9-reverse-shell-created-via-named-pipe]] +=== Reverse Shell Created via Named Pipe + +Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out (FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established. The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for execution. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://int0x33.medium.com/day-43-reverse-shell-with-openssl-1ee2574aa998 +* https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/ +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 5s + [process where host.os.type == "linux" and event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")] + [process where host.os.type == "linux" and process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or + (process.executable: ("/usr/bin/openssl") and process.args: ("-connect"))] + [process where host.os.type == "linux" and (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or + (process.name: "openssl" and process.executable: "/usr/bin/openssl"))] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-antimalware-scan-interface-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-antimalware-scan-interface-dll.asciidoc new file mode 100644 index 0000000000..6e8f8dd30c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-antimalware-scan-interface-dll.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-6-9-suspicious-antimalware-scan-interface-dll]] +=== Suspicious Antimalware Scan Interface DLL + +Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Antimalware Scan Interface DLL + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell. + +Attackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the process that created the DLL and which account was used. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Investigate other processes launched from the directory that the DLL was created. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + +### False positive analysis + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.action != "deletion" and file.path != null and + file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\$WINDOWS.~BT\\Work\\*\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc new file mode 100644 index 0000000000..68bf58ef6c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-6-9-suspicious-content-extracted-or-decompressed-via-funzip]] +=== Suspicious Content Extracted or Decompressed via Funzip + +Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/software/S0482/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and +not process.args : "/var/log/messages" and +not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and +not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-data-encryption-via-openssl-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-data-encryption-via-openssl-utility.asciidoc new file mode 100644 index 0000000000..e2b68c2634 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-data-encryption-via-openssl-utility.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-6-9-suspicious-data-encryption-via-openssl-utility]] +=== Suspicious Data Encryption via OpenSSL Utility + +Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ +* https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.name, process.parent.entity_id with maxspan=5s + [ process where host.os.type == "linux" and event.action == "exec" and + process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and + process.args == "-in" and process.args == "-out" and + process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and + /* excluding base64 encoding options and including encryption password or key params */ + not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc new file mode 100644 index 0000000000..0406700a25 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-8-6-9-suspicious-dll-loaded-for-persistence-or-privilege-escalation]] +=== Suspicious DLL Loaded for Persistence or Privilege Escalation + +Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://itm4n.github.io/windows-dll-hijacking-clarified/ +* http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +* https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html +* https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html +* https://windows-internals.com/faxing-your-way-to-system/ +* http://waleedassar.blogspot.com/2013/01/wow64logdll.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation + +Attackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process. + +#### Possible investigation steps + +- Examine the DLL signature and identify the process that created it. + - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve the DLL and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("driver", "library") or (event.category == "process" and event.action : "Image loaded*")) and + ( + /* compatible with Elastic Endpoint Library Events */ + (dll.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", + "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", + "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") + and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or + + /* compatible with Sysmon EventID 7 - Image Load */ + (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", + "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", + "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and + not file.path : ("?:\\Windows\\System32\\wbemcomn.dll", "?:\\Windows\\SysWOW64\\wbemcomn.dll") and + not file.hash.sha256 : + ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f", + "b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4", + "c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and + not file.code_signature.status == "Valid") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-file-changes-activity-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-file-changes-activity-detected.asciidoc new file mode 100644 index 0000000000..3967968964 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-file-changes-activity-detected.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-6-9-suspicious-file-changes-activity-detected]] +=== Suspicious File Changes Activity Detected + +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [ file where host.os.type == "linux" and event.type == "change" and + event.action == "rename" and file.extension != "" and + file.path : ( + "/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*" + ) and not + file.extension : ( + "xml", "json", "conf", "dat", "gz", "info", "mod", "final", + "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old" + ) and not + process.name : ( + "dpkg", "yum", "dnf", "rpm", "dockerd" + ) ] with runs=100 | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-file-creation-in-etc-for-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-file-creation-in-etc-for-persistence.asciidoc new file mode 100644 index 0000000000..6ab3497b1e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-file-creation-in-etc-for-persistence.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-6-9-suspicious-file-creation-in-etc-for-persistence]] +=== Suspicious File Creation in /etc for Persistence + +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Threat: Lightning Framework +* Data Source: Elastic Endgame + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and +file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", +"/usr//lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", +"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", +"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension == "swp" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-modprobe-file-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-modprobe-file-event.asciidoc new file mode 100644 index 0000000000..72e45f50e0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-modprobe-file-event.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-6-9-suspicious-modprobe-file-event]] +=== Suspicious Modprobe File Event + +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. + +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` + +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. + +For this detection rule to trigger, the following additional audit rules are required to be added to the integration: +``` +-w /etc/modprobe.conf -p wa -k modprobe +-w /etc/modprobe.d -p wa -k modprobe +``` + +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and +file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not +(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-network-connection-attempt-by-root.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-network-connection-attempt-by-root.asciidoc new file mode 100644 index 0000000000..ac0d7c7d0b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-network-connection-attempt-by-root.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-6-9-suspicious-network-connection-attempt-by-root]] +=== Suspicious Network Connection Attempt by Root + +Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis +### Investigating Connection Attempt by Non-SSH Root Session +Detection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation: +- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'. +- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener. +- Analyze anomalies in the use of files that do not normally initiate connections. +- Examine processes utilizing the network that do not normally have network communication. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m +[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")] +[process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Non-Application Layer Protocol +** ID: T1095 +** Reference URL: https://attack.mitre.org/techniques/T1095/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-powershell-engine-imageload.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-powershell-engine-imageload.asciidoc new file mode 100644 index 0000000000..4e4893a698 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-powershell-engine-imageload.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-6-9-suspicious-powershell-engine-imageload]] +=== Suspicious PowerShell Engine ImageLoad + +Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious PowerShell Engine ImageLoad + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called "PowerShell without PowerShell," works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +library where host.os.type == "windows" and + dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and + not + ( + /* MS Signed Binaries */ + ( + process.code_signature.subject_name : ( + "Microsoft Windows", + "Microsoft Dynamic Code Publisher", + "Microsoft Corporation" + ) and process.code_signature.trusted == true and not process.name : ("rundll32.exe", "regsvr32.exe") + ) or + + /* Signed Executables from the Program Files folder */ + ( + process.executable : ( + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe" + ) and process.code_signature.trusted == true + ) or + + /* Lenovo */ + ( + process.executable : ( + "?:\\Windows\\Lenovo\\*.exe" + ) and (process.code_signature.subject_name : "Lenovo" and process.code_signature.trusted == true) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-proc-pseudo-file-system-enumeration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-proc-pseudo-file-system-enumeration.asciidoc new file mode 100644 index 0000000000..b21379359c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-proc-pseudo-file-system-enumeration.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-6-9-suspicious-proc-pseudo-file-system-enumeration]] +=== Suspicious Proc Pseudo File System Enumeration + +This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. + +*Rule type*: threshold + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. + +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` + +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. + +For this detection rule to trigger, the following additional audit rules are required to be added to the integration: +``` +-w /proc/ -p r -k audit_proc +``` + +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and +file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-sysctl-file-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-sysctl-file-event.asciidoc new file mode 100644 index 0000000000..5ca27dd0fe --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-sysctl-file-event.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-6-9-suspicious-sysctl-file-event]] +=== Suspicious Sysctl File Event + +Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. + +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` + +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. + +For this detection rule to trigger, the following additional audit rules are required to be added to the integration: + +``` +-w /etc/sysctl.conf -p wa -k sysctl +-w /etc/sysctl.d -p wa -k sysctl +``` + +Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and +file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and not process.name == "auditbeat" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc new file mode 100644 index 0000000000..df651bfe7e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-6-9-suspicious-system-commands-executed-by-previously-unknown-executable]] +=== Suspicious System Commands Executed by Previously Unknown Executable + +This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "process" and +event.action : ("exec" or "exec_event" or "fork" or "fork_event") and +process.executable : ( + /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or + /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or + /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/* + ) and process.args : ( + "whoami" or "id" or "hostname" or "uptime" or "top" or "ifconfig" or "netstat" or "route" or + "ps" or "pwd" or "ls" + ) and not process.name : ( + "sudo" or "which" or "whoami" or "id" or "hostname" or "uptime" or "top" or "netstat" or "ps" or + "pwd" or "ls" or "apt" or "dpkg" or "yum" or "rpm" or "dnf" or "dockerd" or "snapd" or "snap" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-unusual-file-creation-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-unusual-file-creation-alternate-data-stream.asciidoc new file mode 100644 index 0000000000..a4d9919d9c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-unusual-file-creation-alternate-data-stream.asciidoc @@ -0,0 +1,186 @@ +[[prebuilt-rule-8-6-9-unusual-file-creation-alternate-data-stream]] +=== Unusual File Creation - Alternate Data Stream + +Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual File Creation - Alternate Data Stream + +Alternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute. + +The regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream. + +Attackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this: + - `Get-Content C:\Path\To\file.exe -stream SampleAlternateDataStreamName` +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + + file.path : "C:\\*:*" and + not file.path : "C:\\*:zone.identifier*" and + + not process.executable : + ("?:\\windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\explorer.exe", + "?:\\Windows\\System32\\sihost.exe", + "?:\\Windows\\System32\\PickerHost.exe", + "?:\\Windows\\System32\\SearchProtocolHost.exe", + "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", + "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files(x86)\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE") and + + file.extension : + ( + "pdf", + "dll", + "png", + "exe", + "dat", + "com", + "bat", + "cmd", + "sys", + "vbs", + "ps1", + "hta", + "txt", + "vbe", + "js", + "wsh", + "docx", + "doc", + "xlsx", + "xls", + "pptx", + "ppt", + "rtf", + "gif", + "jpg", + "png", + "bmp", + "img", + "iso" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-wmi-incoming-lateral-movement.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-wmi-incoming-lateral-movement.asciidoc new file mode 100644 index 0000000000..22e1dec6d9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rule-8-6-9-wmi-incoming-lateral-movement.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-6-9-wmi-incoming-lateral-movement]] +=== WMI Incoming Lateral Movement + +Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan = 2s + + /* Accepted Incoming RPC connection by Winmgmt service */ + + [network where host.os.type == "windows" and process.name : "svchost.exe" and network.direction : ("incoming", "ingress") and + source.ip != "127.0.0.1" and source.ip != "::1" and source.port >= 49152 and destination.port >= 49152 + ] + + /* Excluding Common FPs Nessus and SCCM */ + + [process where host.os.type == "windows" and event.type == "start" and process.parent.name : "WmiPrvSE.exe" and + not process.args : ("C:\\windows\\temp\\nessus_*.txt", + "*C:\\windows\\TEMP\\nessus_*.TMP*", + "*C:\\Windows\\CCM\\SystemTemp\\*", + "C:\\Windows\\CCM\\ccmrepair.exe", + "C:\\Windows\\CCMCache\\*", + "C:\\CCM\\Cache\\*") + ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-appendix.asciidoc new file mode 100644 index 0000000000..0cd5b6e4a1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-appendix.asciidoc @@ -0,0 +1,55 @@ +["appendix",role="exclude",id="prebuilt-rule-8-6-9-prebuilt-rules-8-6-9-appendix"] += Downloadable rule update v8.6.9 + +This section lists all updates associated with version 8.6.9 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-6-9-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc[] +include::prebuilt-rule-8-6-9-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc[] +include::prebuilt-rule-8-6-9-potential-process-injection-via-ld-preload-environment-variable.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-modprobe-file-event.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-sysctl-file-event.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-proc-pseudo-file-system-enumeration.asciidoc[] +include::prebuilt-rule-8-6-9-potential-code-execution-via-postgresql.asciidoc[] +include::prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-parent-process.asciidoc[] +include::prebuilt-rule-8-6-9-potential-reverse-shell-via-java.asciidoc[] +include::prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-child-process.asciidoc[] +include::prebuilt-rule-8-6-9-potential-reverse-shell-via-suspicious-binary.asciidoc[] +include::prebuilt-rule-8-6-9-potential-reverse-shell.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-data-encryption-via-openssl-utility.asciidoc[] +include::prebuilt-rule-8-6-9-kernel-load-or-unload-via-kexec-detected.asciidoc[] +include::prebuilt-rule-8-6-9-potential-network-sweep-detected.asciidoc[] +include::prebuilt-rule-8-6-9-potential-network-scan-detected.asciidoc[] +include::prebuilt-rule-8-6-9-potential-syn-based-network-scan-detected.asciidoc[] +include::prebuilt-rule-8-6-9-first-time-seen-removable-device.asciidoc[] +include::prebuilt-rule-8-6-9-elastic-agent-service-terminated.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-network-connection-attempt-by-root.asciidoc[] +include::prebuilt-rule-8-6-9-potential-ssh-password-guessing.asciidoc[] +include::prebuilt-rule-8-6-9-potential-external-linux-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-6-9-potential-internal-linux-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-6-9-attempt-to-disable-syslog-service.asciidoc[] +include::prebuilt-rule-8-6-9-abnormal-process-id-or-lock-file-created.asciidoc[] +include::prebuilt-rule-8-6-9-interactive-terminal-spawned-via-python.asciidoc[] +include::prebuilt-rule-8-6-9-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-file-changes-activity-detected.asciidoc[] +include::prebuilt-rule-8-6-9-potential-linux-ransomware-note-creation-detected.asciidoc[] +include::prebuilt-rule-8-6-9-high-number-of-process-terminations.asciidoc[] +include::prebuilt-rule-8-6-9-chkconfig-service-add.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-file-creation-in-etc-for-persistence.asciidoc[] +include::prebuilt-rule-8-6-9-modification-of-dynamic-linker-preload-shared-object.asciidoc[] +include::prebuilt-rule-8-6-9-potential-shadow-file-read-via-command-line-utilities.asciidoc[] +include::prebuilt-rule-8-6-9-multiple-vault-web-credentials-read.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-antimalware-scan-interface-dll.asciidoc[] +include::prebuilt-rule-8-6-9-unusual-file-creation-alternate-data-stream.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-powershell-engine-imageload.asciidoc[] +include::prebuilt-rule-8-6-9-incoming-execution-via-winrm-remote-shell.asciidoc[] +include::prebuilt-rule-8-6-9-wmi-incoming-lateral-movement.asciidoc[] +include::prebuilt-rule-8-6-9-incoming-execution-via-powershell-remoting.asciidoc[] +include::prebuilt-rule-8-6-9-rdp-enabled-via-registry.asciidoc[] +include::prebuilt-rule-8-6-9-remotely-started-services-via-rpc.asciidoc[] +include::prebuilt-rule-8-6-9-a-scheduled-task-was-updated.asciidoc[] +include::prebuilt-rule-8-6-9-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc[] +include::prebuilt-rule-8-6-9-potential-ssh-brute-force-detected-on-privileged-account.asciidoc[] +include::prebuilt-rule-8-6-9-reverse-shell-created-via-named-pipe.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-summary.asciidoc new file mode 100644 index 0000000000..bbe3596996 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-summary.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-6-9-prebuilt-rules-8-6-9-summary]] +[role="xpack"] +== Update v8.6.9 + +This section lists all updates associated with version 8.6.9 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. | new | 1 + +|<> | An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. | new | 1 + +|<> | This rule detects the execution of a process where the LD_PRELOAD environment variable is set. LD_PRELOAD can be used to inject a shared library into a binary at or prior to execution. A threat actor may do this in order to load a malicious shared library for the purposes of persistence, privilege escalation, and defense evasion. This activity is not common and will potentially indicate malicious or suspicious behavior. | new | 1 + +|<> | Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system. | new | 1 + +|<> | Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security. | new | 1 + +|<> | This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets. | new | 1 + +|<> | This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions. | new | 1 + +|<> | This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. | new | 1 + +|<> | This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application. | new | 1 + +|<> | This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. | new | 1 + +|<> | This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. | new | 1 + +|<> | This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. | new | 1 + +|<> | Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore. | new | 1 + +|<> | This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. | new | 1 + +|<> | Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion. | new | 1 + +|<> | This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape. | new | 1 + +|<> | This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services. | new | 1 + +|<> | This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports. | new | 1 + +|<> | This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port. | new | 1 + +|<> | Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices. | new | 1 + +|<> | Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. | update | 103 + +|<> | Identifies an outbound network connection attempt followed by a session id change as the root user by the same process entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate a potential reverse shell activity via a privileged process. | update | 104 + +|<> | Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts. | update | 6 + +|<> | Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. | update | 3 + +|<> | Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. | update | 7 + +|<> | Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. | update | 105 + +|<> | Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. | update | 207 + +|<> | Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. | update | 106 + +|<> | Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. | update | 106 + +|<> | This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. | update | 3 + +|<> | This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. | update | 3 + +|<> | This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. | update | 107 + +|<> | Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. | update | 105 + +|<> | Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. | update | 107 + +|<> | Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. | update | 105 + +|<> | Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources. | update | 105 + +|<> | Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. | update | 8 + +|<> | Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. | update | 5 + +|<> | Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. | update | 109 + +|<> | Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily. | update | 107 + +|<> | Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement. | update | 105 + +|<> | Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts. | update | 106 + +|<> | Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement. | update | 105 + +|<> | Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. | update | 106 + +|<> | Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators." | update | 107 + +|<> | Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. | update | 8 + +|<> | Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities. | update | 106 + +|<> | Identifies multiple consecutive login failures targeting a root user account from the same source address and within a short time interval. Adversaries will often brute force login attempts on privileged accounts with a common or known password, in an attempt to gain privileged access to systems. | deprecated | 6 + +|<> | Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out (FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established. The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for execution. | deprecated | 7 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index e4320fb600..be05541ccb 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -11,6 +11,9 @@ To download the latest updates, follow the instructions in <> | 14 Jul 2023 | 20 | 27 | +updating rules for 8.6.9 release package + |<> | 29 Jun 2023 | 4 | 8 | This release includes new Threat Indicator rules for IP addresses, domains, URLs, file hashes and Windows registry keys. Additionally, Windows rules for PowerShell abuse have been tuned for better rule efficacy. @@ -177,3 +180,4 @@ include::downloadable-packages/8-6-5/prebuilt-rules-8-6-5-summary.asciidoc[level include::downloadable-packages/8-6-6/prebuilt-rules-8-6-6-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-6-7/prebuilt-rules-8-6-7-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-6-8/prebuilt-rules-8-6-8-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-6-9/prebuilt-rules-8-6-9-summary.asciidoc[leveloffset=+1] diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 41ef4e06b7..262c7ccaa3 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -103,3 +103,5 @@ include::detections/prebuilt-rules/downloadable-packages/8-6-6/prebuilt-rules-8- include::detections/prebuilt-rules/downloadable-packages/8-6-7/prebuilt-rules-8-6-7-appendix.asciidoc[] include::detections/prebuilt-rules/downloadable-packages/8-6-8/prebuilt-rules-8-6-8-appendix.asciidoc[] + +include::detections/prebuilt-rules/downloadable-packages/8-6-9/prebuilt-rules-8-6-9-appendix.asciidoc[]