From 3b1f6f8d6a1c23d72696b4a8767297442b913b7f Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Fri, 23 Feb 2024 22:06:58 +0000 Subject: [PATCH 1/2] Update latest docs --- ...tempt-to-clear-kernel-ring-buffer.asciidoc | 112 +++++++++ ...t-to-disable-iptables-or-firewall.asciidoc | 115 ++++++++++ ...base32-encoding-decoding-activity.asciidoc | 120 ++++++++++ ...s-and-directories-via-commandline.asciidoc | 126 ++++++++++ ...tion-of-hidden-shared-object-file.asciidoc | 123 ++++++++++ ...-timestomping-using-touch-command.asciidoc | 106 +++++++++ ...ble-media-with-network-connection.asciidoc | 67 ++++++ ...e-8-10-12-file-deletion-via-shred.asciidoc | 102 ++++++++ ...odification-in-writable-directory.asciidoc | 112 +++++++++ ...seen-newcredentials-logon-process.asciidoc | 66 ++++++ ...ctive-logon-by-an-unusual-process.asciidoc | 95 ++++++++ ...rnel-driver-load-by-non-root-user.asciidoc | 108 +++++++++ ...ule-8-10-12-kernel-module-removal.asciidoc | 116 ++++++++++ ...ux-init-pid-1-secret-dump-via-gdb.asciidoc | 104 +++++++++ ...network-activity-detected-via-cat.asciidoc | 181 +++++++++++++++ ...tential-defense-evasion-via-proot.asciidoc | 98 ++++++++ ...2-potential-disabling-of-apparmor.asciidoc | 107 +++++++++ ...12-potential-disabling-of-selinux.asciidoc | 120 ++++++++++ ...-hidden-process-via-mount-hidepid.asciidoc | 102 ++++++++ ...ntial-dumping-via-proc-filesystem.asciidoc | 110 +++++++++ ...x-credential-dumping-via-unshadow.asciidoc | 103 +++++++++ ...ocal-account-brute-force-detected.asciidoc | 104 +++++++++ ...-tunneling-and-or-port-forwarding.asciidoc | 193 ++++++++++++++++ ...erading-as-business-app-installer.asciidoc | 217 ++++++++++++++++++ ...tential-meterpreter-reverse-shell.asciidoc | 129 +++++++++++ ...-pspy-process-monitoring-detected.asciidoc | 101 ++++++++ ...remote-file-execution-via-msiexec.asciidoc | 106 +++++++++ ...2-potential-reverse-shell-via-udp.asciidoc | 139 +++++++++++ ...x-ftp-brute-force-attack-detected.asciidoc | 123 ++++++++++ ...x-rdp-brute-force-attack-detected.asciidoc | 121 ++++++++++ ...s-created-with-a-duplicated-token.asciidoc | 95 ++++++++ ...mote-xsl-script-execution-via-com.asciidoc | 83 +++++++ ...us-antimalware-scan-interface-dll.asciidoc | 141 ++++++++++++ ...picious-execution-from-inet-cache.asciidoc | 82 +++++++ ...spicious-passwd-file-event-action.asciidoc | 127 ++++++++++ ...-utility-launched-via-proxychains.asciidoc | 183 +++++++++++++++ ...-or-moved-to-suspicious-directory.asciidoc | 128 +++++++++++ .../prebuilt-rules-8-10-12-appendix.asciidoc | 43 ++++ .../prebuilt-rules-8-10-12-summary.asciidoc | 86 +++++++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 126 +++++----- .../prebuilt-rules/rule-desc-index.asciidoc | 1 + ...l-process-id-or-lock-file-created.asciidoc | 58 ++++- .../abnormally-large-dns-response.asciidoc | 35 +-- ...ess-of-stored-browser-credentials.asciidoc | 35 +++ ...ess-to-a-sensitive-ldap-attribute.asciidoc | 19 ++ ...-keychain-credentials-directories.asciidoc | 35 +++ ...ured-with-never-expiring-password.asciidoc | 25 +- ...covery-command-via-system-account.asciidoc | 34 ++- .../account-password-reset-remotely.asciidoc | 3 - ...-hidden-file-attribute-via-attrib.asciidoc | 25 +- .../adfind-command-activity.asciidoc | 40 +++- ...vileges-assigned-to-an-okta-group.asciidoc | 8 +- ...tor-role-assigned-to-an-okta-user.asciidoc | 8 +- ...insdholder-sdprop-exclusion-added.asciidoc | 48 +++- .../adobe-hijack-persistence.asciidoc | 36 ++- ...us-process-for-a-linux-population.asciidoc | 23 +- ...-process-for-a-windows-population.asciidoc | 29 ++- ...nomalous-windows-process-creation.asciidoc | 29 ++- ...on-followed-by-network-connection.asciidoc | 35 +++ ...ion-with-administrator-privileges.asciidoc | 35 +++ ...-added-to-google-workspace-domain.asciidoc | 34 ++- ...rom-blocklist-in-google-workspace.asciidoc | 34 ++- ...tempt-to-clear-kernel-ring-buffer.asciidoc | 46 +++- .../attempt-to-create-okta-api-token.asciidoc | 8 +- ...to-deactivate-an-okta-application.asciidoc | 28 ++- ...o-deactivate-an-okta-network-zone.asciidoc | 28 ++- ...to-deactivate-an-okta-policy-rule.asciidoc | 30 ++- ...empt-to-deactivate-an-okta-policy.asciidoc | 30 ++- ...mpt-to-delete-an-okta-application.asciidoc | 8 +- ...pt-to-delete-an-okta-network-zone.asciidoc | 28 ++- ...mpt-to-delete-an-okta-policy-rule.asciidoc | 30 ++- .../attempt-to-delete-an-okta-policy.asciidoc | 30 ++- .../attempt-to-disable-gatekeeper.asciidoc | 35 +++ ...t-to-disable-iptables-or-firewall.asciidoc | 41 +++- ...attempt-to-disable-syslog-service.asciidoc | 51 ++++ ...ttempt-to-enable-the-root-account.asciidoc | 35 +++ ...tempt-to-install-root-certificate.asciidoc | 35 +++ ...mpt-to-modify-an-okta-application.asciidoc | 8 +- ...pt-to-modify-an-okta-network-zone.asciidoc | 30 ++- ...mpt-to-modify-an-okta-policy-rule.asciidoc | 30 ++- .../attempt-to-modify-an-okta-policy.asciidoc | 28 ++- ...-mount-smb-share-via-command-line.asciidoc | 35 +++ ...-remove-file-quarantine-attribute.asciidoc | 35 +++ ...-factors-for-an-okta-user-account.asciidoc | 8 +- .../attempt-to-revoke-okta-api-token.asciidoc | 28 ++- ...ndpoint-security-kernel-extension.asciidoc | 35 +++ .../attempted-bypass-of-okta-mfa.asciidoc | 30 ++- ...orce-a-microsoft-365-user-account.asciidoc | 8 +- ...-brute-force-an-okta-user-account.asciidoc | 28 ++- ...authorization-plugin-modification.asciidoc | 35 +++ .../aws-cloudtrail-log-created.asciidoc | 8 +- .../aws-cloudtrail-log-deleted.asciidoc | 30 ++- .../aws-cloudtrail-log-suspended.asciidoc | 30 ++- .../aws-cloudtrail-log-updated.asciidoc | 30 ++- .../aws-cloudwatch-alarm-deletion.asciidoc | 30 ++- ...aws-cloudwatch-log-group-deletion.asciidoc | 30 ++- ...ws-cloudwatch-log-stream-deletion.asciidoc | 30 ++- .../aws-config-resource-deletion.asciidoc | 30 ++- ...ws-configuration-recorder-stopped.asciidoc | 8 +- ...letion-of-rds-instance-or-cluster.asciidoc | 8 +- .../aws-ec2-encryption-disabled.asciidoc | 8 +- ...l-network-packet-capture-detected.asciidoc | 8 +- ...work-access-control-list-creation.asciidoc | 8 +- ...work-access-control-list-deletion.asciidoc | 8 +- .../aws-ec2-snapshot-activity.asciidoc | 30 ++- .../aws-ec2-vm-export-failure.asciidoc | 8 +- ...-efs-file-system-or-mount-deleted.asciidoc | 8 +- ...lasticache-security-group-created.asciidoc | 8 +- ...ecurity-group-modified-or-deleted.asciidoc | 8 +- ...ntbridge-rule-disabled-or-deleted.asciidoc | 8 +- .../aws-execution-via-system-manager.asciidoc | 30 ++- .../aws-guardduty-detector-deletion.asciidoc | 8 +- ...aws-iam-assume-role-policy-update.asciidoc | 32 ++- ...brute-force-of-assume-role-policy.asciidoc | 30 ++- ...ws-iam-deactivation-of-mfa-device.asciidoc | 32 ++- .../aws-iam-group-creation.asciidoc | 8 +- .../aws-iam-group-deletion.asciidoc | 8 +- ...s-iam-password-recovery-requested.asciidoc | 8 +- .../aws-iam-user-addition-to-group.asciidoc | 30 ++- ...isabled-or-scheduled-for-deletion.asciidoc | 8 +- ...brute-force-of-root-user-identity.asciidoc | 8 +- ...aws-management-console-root-login.asciidoc | 32 ++- .../aws-rds-cluster-creation.asciidoc | 8 +- ...aws-rds-instance-cluster-stoppage.asciidoc | 8 +- .../aws-rds-instance-creation.asciidoc | 8 +- .../aws-rds-security-group-creation.asciidoc | 8 +- .../aws-rds-security-group-deletion.asciidoc | 8 +- .../aws-rds-snapshot-export.asciidoc | 8 +- .../aws-rds-snapshot-restored.asciidoc | 8 +- .../aws-redshift-cluster-creation.asciidoc | 8 +- .../aws-root-login-without-mfa.asciidoc | 34 ++- ...-53-domain-transfer-lock-disabled.asciidoc | 8 +- ...in-transferred-to-another-account.asciidoc | 8 +- .../aws-route-table-created.asciidoc | 8 +- ...s-route-table-modified-or-deleted.asciidoc | 8 +- ...hosted-zone-associated-with-a-vpc.asciidoc | 8 +- ...-s3-bucket-configuration-deletion.asciidoc | 8 +- .../rule-details/aws-saml-activity.asciidoc | 8 +- ...up-configuration-change-detection.asciidoc | 8 +- ...oken-service-sts-assumerole-usage.asciidoc | 8 +- .../aws-sts-getsessiontoken-abuse.asciidoc | 8 +- .../aws-vpc-flow-logs-deletion.asciidoc | 30 ++- ...-waf-access-control-list-deletion.asciidoc | 8 +- ...s-waf-rule-or-rule-group-deletion.asciidoc | 8 +- ...ctive-directory-high-risk-sign-in.asciidoc | 35 ++- ...-high-risk-user-sign-in-heuristic.asciidoc | 32 ++- ...tive-directory-powershell-sign-in.asciidoc | 30 ++- ...lobal-administrator-role-assigned.asciidoc | 8 +- ...pression-rule-created-or-modified.asciidoc | 8 +- ...plication-credential-modification.asciidoc | 8 +- .../azure-automation-account-created.asciidoc | 8 +- ...ation-runbook-created-or-modified.asciidoc | 8 +- .../azure-automation-runbook-deleted.asciidoc | 8 +- .../azure-automation-webhook-created.asciidoc | 8 +- ...ntainer-access-level-modification.asciidoc | 8 +- ...ure-blob-permissions-modification.asciidoc | 8 +- ...mand-execution-on-virtual-machine.asciidoc | 8 +- ...onditional-access-policy-modified.asciidoc | 8 +- ...zure-diagnostic-settings-deletion.asciidoc | 8 +- ...orization-rule-created-or-updated.asciidoc | 8 +- .../azure-event-hub-deletion.asciidoc | 8 +- ...re-external-guest-user-invitation.asciidoc | 8 +- .../azure-firewall-policy-deletion.asciidoc | 8 +- ...ation-firewall-waf-policy-deleted.asciidoc | 8 +- ...l-network-packet-capture-detected.asciidoc | 8 +- ...strator-role-addition-to-pim-user.asciidoc | 8 +- .../azure-key-vault-modified.asciidoc | 8 +- .../azure-kubernetes-events-deleted.asciidoc | 8 +- .../azure-kubernetes-pods-deleted.asciidoc | 8 +- ...e-kubernetes-rolebindings-created.asciidoc | 8 +- .../azure-network-watcher-deletion.asciidoc | 8 +- ...identity-management-role-modified.asciidoc | 30 ++- .../azure-resource-group-deletion.asciidoc | 8 +- .../azure-service-principal-addition.asciidoc | 30 ++- ...rvice-principal-credentials-added.asciidoc | 8 +- ...e-storage-account-key-regenerated.asciidoc | 8 +- ...etwork-device-modified-or-deleted.asciidoc | 8 +- ...base32-encoding-decoding-activity.asciidoc | 63 ++++- ...uted-from-shared-memory-directory.asciidoc | 35 +++ .../bpf-filter-applied-using-tc.asciidoc | 35 +++ .../bypass-uac-via-event-viewer.asciidoc | 38 ++- .../chkconfig-service-add.asciidoc | 66 +++++- .../clearing-windows-console-history.asciidoc | 34 ++- .../clearing-windows-event-logs.asciidoc | 34 ++- ...strike-command-and-control-beacon.asciidoc | 7 +- ...dification-through-built-in-tools.asciidoc | 29 ++- ...icy-modification-through-registry.asciidoc | 29 ++- ...-execution-via-solarwinds-process.asciidoc | 11 + ...command-prompt-network-connection.asciidoc | 25 +- ...ell-activity-started-via-rundll32.asciidoc | 11 + .../component-object-model-hijacking.asciidoc | 34 ++- ...wned-by-suspicious-parent-process.asciidoc | 38 ++- ...ed-free-ssl-certificate-providers.asciidoc | 11 + ...n-to-commonly-abused-web-services.asciidoc | 27 ++- ...on-to-external-network-via-telnet.asciidoc | 51 ++++ ...on-to-internal-network-via-telnet.asciidoc | 51 ++++ ...el-process-with-unusual-arguments.asciidoc | 11 + ...on-of-a-hidden-local-user-account.asciidoc | 34 ++- ...s-and-directories-via-commandline.asciidoc | 61 ++++- ...-of-hidden-launch-agent-or-daemon.asciidoc | 35 +++ ...idden-login-item-via-apple-script.asciidoc | 35 +++ ...tion-of-hidden-shared-object-file.asciidoc | 61 ++++- ...eation-of-settingcontent-ms-files.asciidoc | 5 +- ...new-gpo-scheduled-task-or-service.asciidoc | 11 + ...f-domain-backup-dpapi-private-key.asciidoc | 18 +- ...-modification-of-root-certificate.asciidoc | 36 ++- ...isition-via-registry-hive-dumping.asciidoc | 38 ++- ...ged-by-previously-unknown-process.asciidoc | 66 +++++- ...-privileged-access-security-error.asciidoc | 12 +- ...cess-security-recommended-monitor.asciidoc | 12 +- ...lt-strike-team-server-certificate.asciidoc | 7 +- ...te-volume-usn-journal-with-fsutil.asciidoc | 23 +- ...ting-backup-catalogs-with-wbadmin.asciidoc | 38 ++- .../direct-outbound-smb-connection.asciidoc | 25 +- ...ecurity-logs-using-built-in-tools.asciidoc | 34 ++- ...-windows-firewall-rules-via-netsh.asciidoc | 34 ++- ...control-via-registry-modification.asciidoc | 36 ++- ...-security-settings-via-powershell.asciidoc | 38 ++- ...t-capabilities-via-built-in-tools.asciidoc | 4 +- ...s-over-https-enabled-via-registry.asciidoc | 11 + ...-google-workspace-trusted-domains.asciidoc | 34 ++- ...ount-hashes-via-built-in-commands.asciidoc | 35 +++ ...hain-content-via-security-command.asciidoc | 35 +++ .../rule-details/dynamic-linker-copy.asciidoc | 66 +++++- .../elastic-agent-service-terminated.asciidoc | 11 + ...nd-rules-creation-or-modification.asciidoc | 35 +++ ...-host-network-discovery-via-netsh.asciidoc | 34 ++- ...ncrypting-files-with-winrar-or-7z.asciidoc | 34 ++- ...ing-domain-trusts-via-dsquery-exe.asciidoc | 27 ++- ...ting-domain-trusts-via-nltest-exe.asciidoc | 27 ++- ...tion-command-spawned-via-wmiprvse.asciidoc | 11 + ...eration-of-administrator-accounts.asciidoc | 38 ++- ...ration-of-kernel-modules-via-proc.asciidoc | 23 +- .../enumeration-of-kernel-modules.asciidoc | 35 +++ ...rivileged-local-groups-membership.asciidoc | 52 ++++- ...s-or-groups-via-built-in-commands.asciidoc | 35 +++ .../esxi-discovery-via-find.asciidoc | 35 +++ .../esxi-discovery-via-grep.asciidoc | 35 +++ ...-timestomping-using-touch-command.asciidoc | 46 +++- ...nge-mailbox-export-via-powershell.asciidoc | 23 +- ...creation-with-multiple-extensions.asciidoc | 11 + ...le-masquerading-as-kernel-process.asciidoc | 35 +++ ...ble-media-with-network-connection.asciidoc | 3 +- ...om-unusual-directory-command-line.asciidoc | 40 +++- .../execution-of-an-unsigned-service.asciidoc | 5 +- ...ecution-of-com-object-via-xwizard.asciidoc | 11 + ...n-or-modified-by-microsoft-office.asciidoc | 23 +- ...written-or-modified-by-pdf-reader.asciidoc | 23 +- ...tron-child-process-node-js-module.asciidoc | 35 +++ ...ution-via-local-sxs-shared-module.asciidoc | 18 +- ...ssql-xp-cmdshell-stored-procedure.asciidoc | 34 ++- ...execution-via-tsclient-mountpoint.asciidoc | 11 + ...xplicit-credentials-via-scripting.asciidoc | 35 +++ ...g-exchange-mailbox-via-powershell.asciidoc | 34 ++- ...p-lookup-from-non-browser-process.asciidoc | 23 +- ...r-added-to-google-workspace-group.asciidoc | 34 ++- ...-deletion-in-suspicious-directory.asciidoc | 35 +++ .../file-deletion-via-shred.asciidoc | 46 +++- .../file-made-immutable-by-chattr.asciidoc | 56 +++++ ...odification-in-writable-directory.asciidoc | 59 ++++- ...r-listener-established-via-netcat.asciidoc | 74 +++++- ...h-suspicious-extension-downloaded.asciidoc | 8 +- ...ync-plugin-registered-and-enabled.asciidoc | 35 +++ ...ta-user-session-started-via-proxy.asciidoc | 32 ++- ...value-accessed-in-secrets-manager.asciidoc | 32 ++- ...used-remote-access-tool-execution.asciidoc | 23 +- .../first-time-seen-driver-loaded.asciidoc | 31 ++- ...ogin-from-third-party-application.asciidoc | 16 +- ...seen-newcredentials-logon-process.asciidoc | 4 +- ...me-seen-account-performing-dcsync.asciidoc | 44 +++- ...d-google-workspace-security-alert.asciidoc | 12 +- .../gcp-firewall-rule-creation.asciidoc | 8 +- .../gcp-firewall-rule-deletion.asciidoc | 8 +- .../gcp-firewall-rule-modification.asciidoc | 8 +- .../gcp-iam-custom-role-creation.asciidoc | 8 +- .../gcp-iam-role-deletion.asciidoc | 8 +- ...-iam-service-account-key-deletion.asciidoc | 8 +- .../gcp-logging-bucket-deletion.asciidoc | 8 +- .../gcp-logging-sink-deletion.asciidoc | 8 +- .../gcp-logging-sink-modification.asciidoc | 8 +- ...gcp-pub-sub-subscription-creation.asciidoc | 8 +- ...gcp-pub-sub-subscription-deletion.asciidoc | 8 +- .../gcp-pub-sub-topic-creation.asciidoc | 8 +- .../gcp-pub-sub-topic-deletion.asciidoc | 8 +- .../gcp-service-account-creation.asciidoc | 8 +- .../gcp-service-account-deletion.asciidoc | 8 +- .../gcp-service-account-disabled.asciidoc | 8 +- .../gcp-service-account-key-creation.asciidoc | 8 +- ...bucket-configuration-modification.asciidoc | 8 +- .../gcp-storage-bucket-deletion.asciidoc | 8 +- ...e-bucket-permissions-modification.asciidoc | 8 +- ...al-private-cloud-network-deletion.asciidoc | 8 +- ...tual-private-cloud-route-creation.asciidoc | 8 +- ...tual-private-cloud-route-deletion.asciidoc | 8 +- ...-transferred-via-google-workspace.asciidoc | 34 ++- ...gle-workspace-2sv-policy-disabled.asciidoc | 34 ++- ...ace-admin-role-assigned-to-a-user.asciidoc | 34 ++- ...gle-workspace-admin-role-deletion.asciidoc | 34 ++- ...main-wide-delegation-of-authority.asciidoc | 34 ++- ...kspace-bitlocker-setting-disabled.asciidoc | 34 ++- ...rkspace-custom-admin-role-created.asciidoc | 34 ++- ...m-gmail-route-created-or-modified.asciidoc | 34 ++- ...ey-s-accessed-from-anonymous-user.asciidoc | 12 +- ...orkspace-mfa-enforcement-disabled.asciidoc | 36 ++- ...ess-granted-to-custom-application.asciidoc | 38 ++- ...orkspace-password-policy-modified.asciidoc | 34 ++- ...etplace-modified-to-allow-any-app.asciidoc | 34 ++- .../google-workspace-role-modified.asciidoc | 34 ++- ...ce-suspended-user-account-renewed.asciidoc | 12 +- ...-user-organizational-unit-changed.asciidoc | 34 ++- ...licy-abuse-for-privilege-addition.asciidoc | 46 +++- ...ry-via-microsoft-gpresult-utility.asciidoc | 23 +- ...fbaked-command-and-control-beacon.asciidoc | 7 +- ...ocess-arguments-in-an-rdp-session.asciidoc | 36 +++ ...high-mean-of-rdp-session-duration.asciidoc | 36 +++ ...password-reset-or-unlock-attempts.asciidoc | 28 ++- ...ocess-and-or-service-terminations.asciidoc | 23 +- ...gh-number-of-process-terminations.asciidoc | 58 ++++- ...-variance-in-rdp-session-duration.asciidoc | 36 +++ .../rule-details/hosts-file-modified.asciidoc | 39 +++- .../hping-process-activity.asciidoc | 51 ++++ .../iis-http-logging-disabled.asciidoc | 34 ++- ...windows-update-auto-update-client.asciidoc | 36 ++- ...to-an-unsecure-elasticsearch-node.asciidoc | 8 +- ...ingress-transfer-via-windows-bits.asciidoc | 33 ++- ...tion-of-security-support-provider.asciidoc | 11 + ...ctive-logon-by-an-unusual-process.asciidoc | 24 +- ...ractive-terminal-spawned-via-perl.asciidoc | 51 ++++ ...ctive-terminal-spawned-via-python.asciidoc | 35 +++ ...rberos-cached-credentials-dumping.asciidoc | 35 +++ ...-authentication-disabled-for-user.asciidoc | 44 +++- ...eros-traffic-from-unusual-process.asciidoc | 36 ++- ...rnel-driver-load-by-non-root-user.asciidoc | 42 +++- .../rule-details/kernel-driver-load.asciidoc | 34 ++- ...load-or-unload-via-kexec-detected.asciidoc | 35 +++ .../kernel-module-load-via-insmod.asciidoc | 66 +++++- .../kernel-module-removal.asciidoc | 41 +++- ...ssword-retrieval-via-command-line.asciidoc | 35 +++ .../krbtgt-delegation-backdoor.asciidoc | 19 ++ ...etes-anonymous-request-authorized.asciidoc | 8 +- ...with-excessive-linux-capabilities.asciidoc | 20 +- ...es-denied-service-account-request.asciidoc | 8 +- ...ervice-created-with-type-nodeport.asciidoc | 8 +- ...-with-a-sensitive-hostpath-volume.asciidoc | 8 +- ...bernetes-pod-created-with-hostipc.asciidoc | 8 +- ...etes-pod-created-with-hostnetwork.asciidoc | 8 +- ...bernetes-pod-created-with-hostpid.asciidoc | 8 +- ...kubernetes-privileged-pod-created.asciidoc | 8 +- ...ent-of-controller-service-account.asciidoc | 8 +- ...es-suspicious-self-subject-review.asciidoc | 8 +- .../kubernetes-user-exec-into-pod.asciidoc | 8 +- ...teral-movement-via-startup-folder.asciidoc | 11 + ...odification-and-immediate-loading.asciidoc | 35 +++ ...odification-and-immediate-loading.asciidoc | 35 +++ .../linux-group-creation.asciidoc | 57 ++++- ...ux-init-pid-1-secret-dump-via-gdb.asciidoc | 41 +++- ...shell-breakout-via-linux-binary-s.asciidoc | 65 +++++- .../linux-user-account-creation.asciidoc | 57 ++++- ...ux-user-added-to-privileged-group.asciidoc | 62 ++++- .../lsass-memory-dump-creation.asciidoc | 36 ++- .../lsass-memory-dump-handle-access.asciidoc | 55 ++++- ...ss-process-access-via-windows-api.asciidoc | 31 ++- ...uest-predicted-to-be-a-dga-domain.asciidoc | 58 +++++ ...with-a-high-dga-probability-score.asciidoc | 58 +++++ ...redicted-to-be-malicious-activity.asciidoc | 60 +++++ ...-high-malicious-probability-score.asciidoc | 60 +++++ ...using-a-known-sunburst-dns-domain.asciidoc | 58 +++++ ...ller-package-spawns-network-event.asciidoc | 35 +++ ...masquerading-space-after-filename.asciidoc | 11 + ...-activation-for-okta-user-account.asciidoc | 29 ++- ...for-google-workspace-organization.asciidoc | 36 ++- ...change-anti-phish-policy-deletion.asciidoc | 8 +- ...ange-anti-phish-rule-modification.asciidoc | 8 +- ...im-signing-configuration-disabled.asciidoc | 8 +- ...t-365-exchange-dlp-policy-removed.asciidoc | 8 +- ...ge-malware-filter-policy-deletion.asciidoc | 8 +- ...-malware-filter-rule-modification.asciidoc | 8 +- ...-management-group-role-assignment.asciidoc | 8 +- ...nge-safe-attachment-rule-disabled.asciidoc | 8 +- ...xchange-safe-link-policy-disabled.asciidoc | 8 +- ...-exchange-transport-rule-creation.asciidoc | 8 +- ...hange-transport-rule-modification.asciidoc | 8 +- ...lobal-administrator-role-assigned.asciidoc | 8 +- ...ft-365-impossible-travel-activity.asciidoc | 8 +- ...365-inbox-forwarding-rule-created.asciidoc | 8 +- ...65-mass-download-by-a-single-user.asciidoc | 8 +- ...365-potential-ransomware-activity.asciidoc | 8 +- ...m-application-interaction-allowed.asciidoc | 8 +- ...365-teams-external-access-enabled.asciidoc | 8 +- ...ft-365-teams-guest-access-enabled.asciidoc | 8 +- ...5-unusual-volume-of-file-deletion.asciidoc | 8 +- ...ser-restricted-from-sending-email.asciidoc | 8 +- ...engine-started-an-unusual-process.asciidoc | 11 + ...ngine-started-by-a-script-process.asciidoc | 11 + ...ngine-started-by-a-system-process.asciidoc | 11 + ...-started-by-an-office-application.asciidoc | 34 ++- ...ld-engine-using-an-alternate-name.asciidoc | 36 ++- ...-um-spawning-suspicious-processes.asciidoc | 11 + ...erver-um-writing-suspicious-files.asciidoc | 22 +- ...ge-transport-agent-install-script.asciidoc | 28 ++- ...ker-spawning-suspicious-processes.asciidoc | 11 + ...iis-connection-strings-decryption.asciidoc | 11 + ...s-service-account-password-dumped.asciidoc | 11 + ...rosoft-windows-defender-tampering.asciidoc | 38 ++- ...mimikatz-memssp-log-file-detected.asciidoc | 40 +++- ...cation-of-amsienable-registry-key.asciidoc | 38 ++- ...odification-of-boot-configuration.asciidoc | 38 ++- ...amic-linker-preload-shared-object.asciidoc | 51 ++++ ...nvironment-variable-via-launchctl.asciidoc | 35 +++ .../modification-of-openssh-binaries.asciidoc | 78 ++++++- ...ari-settings-via-defaults-command.asciidoc | 35 +++ ...on-of-the-mspkiaccountcredentials.asciidoc | 19 ++ ...tion-of-wdigest-security-provider.asciidoc | 38 ++- ...n-okta-application-sign-on-policy.asciidoc | 8 +- ...ng-hidden-or-webdav-remote-shares.asciidoc | 11 + ...o-security-registry-modifications.asciidoc | 34 ++- ...sbuild-making-network-connections.asciidoc | 25 +- ...cation-disabled-for-an-azure-user.asciidoc | 32 ++- ...failure-followed-by-logon-success.asciidoc | 42 +++- ...lure-from-the-same-source-address.asciidoc | 38 ++- ...dresses-for-a-single-user-session.asciidoc | 8 +- ...ssions-detected-for-a-single-user.asciidoc | 8 +- ...-device-token-hash-behind-a-proxy.asciidoc | 28 ++- ...ltiple-vault-web-credentials-read.asciidoc | 11 + .../rule-details/my-first-rule.asciidoc | 3 - ...espace-manipulation-using-unshare.asciidoc | 51 ++++ ...t-listener-established-via-rlwrap.asciidoc | 36 +++ ...network-activity-detected-via-cat.asciidoc | 81 +++++-- ...ork-activity-detected-via-kworker.asciidoc | 36 +++ .../network-connection-via-certutil.asciidoc | 29 ++- ...connection-via-compiled-html-file.asciidoc | 25 +- ...-via-recently-compiled-executable.asciidoc | 35 +++ ...nnection-via-registration-utility.asciidoc | 25 +- ...work-connection-via-signed-binary.asciidoc | 25 +- ...on-provider-registry-modification.asciidoc | 25 +- ...oweddeviceid-added-via-powershell.asciidoc | 11 + ...-authentication-behavior-detected.asciidoc | 28 ++- ...ntity-provider-idp-added-by-admin.asciidoc | 28 ++- ...new-or-modified-federation-domain.asciidoc | 8 +- ...ted-by-previously-unknown-process.asciidoc | 66 +++++- .../new-systemd-timer-created.asciidoc | 62 ++++- .../nping-process-activity.asciidoc | 51 ++++ .../ntds-or-sam-database-file-copied.asciidoc | 36 ++- ...orted-by-user-as-malware-or-phish.asciidoc | 8 +- ...ssive-single-sign-on-logon-errors.asciidoc | 8 +- ...spicious-mailbox-right-delegation.asciidoc | 8 +- ...o365-mailbox-audit-logging-bypass.asciidoc | 8 +- ...force-or-password-spraying-attack.asciidoc | 28 ++- .../okta-fastpass-phishing-detection.asciidoc | 12 +- ...ign-in-events-via-third-party-idp.asciidoc | 28 ++- ...nsight-threat-suspected-promotion.asciidoc | 12 +- .../okta-user-session-impersonation.asciidoc | 28 ++- ...arted-from-different-geolocations.asciidoc | 8 +- .../onedrive-malware-file-upload.asciidoc | 8 +- .../peripheral-device-discovery.asciidoc | 34 ++- ...tence-via-bits-job-notify-cmdline.asciidoc | 11 + ...ectoryservice-plugin-modification.asciidoc | 35 +++ ...-via-docker-shortcut-modification.asciidoc | 35 +++ ...sistence-via-folder-action-script.asciidoc | 35 +++ ...tence-via-hidden-run-key-detected.asciidoc | 11 + ...ript-or-desktop-file-modification.asciidoc | 83 ++++++- ...sistence-via-login-or-logout-hook.asciidoc | 35 +++ ...tence-via-microsoft-office-addins.asciidoc | 11 + ...istence-via-microsoft-outlook-vba.asciidoc | 11 + ...ersistence-via-powershell-profile.asciidoc | 25 +- ...stence-via-scheduled-job-creation.asciidoc | 11 + ...ycontroller-scheduled-task-hijack.asciidoc | 11 + ...pdate-orchestrator-service-hijack.asciidoc | 36 ++- ...stence-via-wmi-event-subscription.asciidoc | 11 + ...ia-wmi-standard-registry-provider.asciidoc | 25 +- ...-scripts-in-the-startup-directory.asciidoc | 40 +++- .../port-forwarding-rule-addition.asciidoc | 34 ++- ...-via-azure-registered-application.asciidoc | 38 +-- ...-dga-command-and-control-behavior.asciidoc | 7 +- .../possible-okta-dos-attack.asciidoc | 8 +- ...tial-admin-group-account-addition.asciidoc | 35 +++ ...n-interface-bypass-via-powershell.asciidoc | 25 +- ...-application-shimming-via-sdbinst.asciidoc | 11 + ...l-buffer-overflow-attack-detected.asciidoc | 14 ++ ...chroot-container-escape-via-mount.asciidoc | 46 ++++ ...ial-code-execution-via-postgresql.asciidoc | 35 +++ ...okies-theft-via-browser-debugging.asciidoc | 11 + ...tial-credential-access-via-dcsync.asciidoc | 46 +++- ...cess-via-duplicatehandle-in-lsass.asciidoc | 11 + ...tial-access-via-lsass-memory-dump.asciidoc | 11 + ...cess-via-renamed-com-services-dll.asciidoc | 37 ++- ...ess-via-trusted-developer-utility.asciidoc | 25 +- ...tial-access-via-windows-utilities.asciidoc | 34 ++- ...-curl-cve-2023-38545-exploitation.asciidoc | 48 ++++ ...ty-to-an-unusual-destination-port.asciidoc | 36 +++ ...activity-to-an-unusual-ip-address.asciidoc | 36 +++ ...n-activity-to-an-unusual-iso-code.asciidoc | 36 +++ ...ion-activity-to-an-unusual-region.asciidoc | 36 +++ ...tential-defense-evasion-via-proot.asciidoc | 41 +++- .../potential-dga-activity.asciidoc | 67 ++++++ .../potential-disabling-of-apparmor.asciidoc | 47 +++- .../potential-disabling-of-selinux.asciidoc | 62 ++++- ...ft-antimalware-service-executable.asciidoc | 11 + ...ng-via-trusted-microsoft-programs.asciidoc | 11 + ...ential-dns-tunneling-via-nslookup.asciidoc | 25 +- ...ential-evasion-via-filter-manager.asciidoc | 27 ++- ...on-via-windows-filtering-platform.asciidoc | 19 ++ ...al-linux-ssh-brute-force-detected.asciidoc | 57 ++++- ...tential-file-transfer-via-certreq.asciidoc | 25 +- ...idden-local-user-account-creation.asciidoc | 35 +++ ...-hidden-process-via-mount-hidepid.asciidoc | 46 +++- ...al-linux-ssh-brute-force-detected.asciidoc | 57 ++++- ...invoke-mimikatz-powershell-script.asciidoc | 53 ++++- ...ntial-kerberos-attack-via-bifrost.asciidoc | 35 +++ ...teral-tool-transfer-via-smb-share.asciidoc | 23 +- ...ux-backdoor-user-account-creation.asciidoc | 62 ++++- ...ntial-dumping-via-proc-filesystem.asciidoc | 48 +++- ...x-credential-dumping-via-unshadow.asciidoc | 43 +++- ...otential-linux-hack-tool-launched.asciidoc | 36 +++ ...ocal-account-brute-force-detected.asciidoc | 47 +++- ...ransomware-note-creation-detected.asciidoc | 35 +++ ...otential-linux-ssh-x11-forwarding.asciidoc | 31 ++- ...-tunneling-and-or-port-forwarding.asciidoc | 98 +++++--- ...e-creation-via-psscapturesnapshot.asciidoc | 13 ++ ...emory-dump-via-psscapturesnapshot.asciidoc | 8 + ...al-macos-ssh-brute-force-detected.asciidoc | 35 +++ ...l-masquerading-as-browser-process.asciidoc | 16 +- ...erading-as-business-app-installer.asciidoc | 3 +- ...tial-masquerading-as-system32-dll.asciidoc | 9 +- ...squerading-as-system32-executable.asciidoc | 5 +- ...tential-meterpreter-reverse-shell.asciidoc | 70 +++++- ...-microsoft-office-sandbox-evasion.asciidoc | 35 +++ ...ication-of-accessibility-binaries.asciidoc | 38 ++- ...l-network-scan-executed-from-host.asciidoc | 36 +++ ...andard-port-http-https-connection.asciidoc | 31 ++- ...fa-bombing-via-push-notifications.asciidoc | 29 ++- ...openssh-backdoor-logging-activity.asciidoc | 56 +++++ ...rdp-connection-by-unusual-process.asciidoc | 14 +- ...ng-of-microsoft-365-user-accounts.asciidoc | 8 +- ...rsistence-through-init-d-detected.asciidoc | 66 +++++- ...rough-motd-file-creation-detected.asciidoc | 66 +++++- ...ence-through-run-control-detected.asciidoc | 62 ++++- ...persistence-through-systemd-udevd.asciidoc | 38 +++ ...via-atom-init-script-modification.asciidoc | 35 +++ ...ential-persistence-via-login-hook.asciidoc | 42 +++- ...al-persistence-via-periodic-tasks.asciidoc | 35 +++ ...ce-via-time-provider-modification.asciidoc | 25 +- ...hacktool-script-by-function-names.asciidoc | 50 +++- ...-bypass-via-localhost-secure-copy.asciidoc | 35 +++ ...rol-bypass-via-tccdb-modification.asciidoc | 35 +++ ...on-through-writable-docker-socket.asciidoc | 35 +++ ...on-via-container-misconfiguration.asciidoc | 46 ++++ ...lege-escalation-via-cve-2023-4911.asciidoc | 48 ++++ ...alation-via-installerfiletakeover.asciidoc | 40 +++- ...rivilege-escalation-via-overlayfs.asciidoc | 35 +++ ...l-privilege-escalation-via-pkexec.asciidoc | 35 +++ ...-escalation-via-python-cap-setuid.asciidoc | 36 +++ ...-via-recently-compiled-executable.asciidoc | 35 +++ ...tion-via-uid-int-max-bug-detected.asciidoc | 35 +++ ...ation-via-samaccountname-spoofing.asciidoc | 10 + ...-process-injection-via-powershell.asciidoc | 48 +++- ...tocol-tunneling-via-chisel-client.asciidoc | 64 +++++- ...tocol-tunneling-via-chisel-server.asciidoc | 66 +++++- ...-protocol-tunneling-via-earthworm.asciidoc | 84 ++++++- ...-pspy-process-monitoring-detected.asciidoc | 42 +++- ...ote-code-execution-via-web-server.asciidoc | 62 ++++- ...te-credential-access-via-registry.asciidoc | 40 +++- ...remote-desktop-shadowing-activity.asciidoc | 11 + ...remote-desktop-tunneling-detected.asciidoc | 34 ++- ...remote-file-execution-via-msiexec.asciidoc | 3 +- ...verse-shell-activity-via-terminal.asciidoc | 35 ++- ...erse-shell-via-background-process.asciidoc | 35 +++ ...potential-reverse-shell-via-child.asciidoc | 36 +++ .../potential-reverse-shell-via-java.asciidoc | 35 +++ ...verse-shell-via-suspicious-binary.asciidoc | 35 +++ ...hell-via-suspicious-child-process.asciidoc | 35 +++ .../potential-reverse-shell-via-udp.asciidoc | 81 +++++-- .../potential-reverse-shell.asciidoc | 35 +++ ...file-deletion-via-sdelete-utility.asciidoc | 23 +- ...ow-credentials-added-to-ad-object.asciidoc | 49 +++- ...e-read-via-command-line-utilities.asciidoc | 35 +++ ...l-via-wildcard-injection-detected.asciidoc | 35 +++ ...ential-ssh-it-ssh-worm-downloaded.asciidoc | 36 +++ ...x-ftp-brute-force-attack-detected.asciidoc | 64 +++++- ...x-rdp-brute-force-attack-detected.asciidoc | 60 ++++- ...successful-ssh-brute-force-attack.asciidoc | 69 +++++- ...potential-sudo-hijacking-detected.asciidoc | 35 +++ ...ege-escalation-via-cve-2019-14287.asciidoc | 35 +++ ...anipulation-via-process-injection.asciidoc | 35 +++ ...icious-debugfs-root-device-access.asciidoc | 35 +++ ...s-via-wildcard-injection-detected.asciidoc | 35 +++ ...-upgrade-of-non-interactive-shell.asciidoc | 35 +++ ...indows-error-manager-masquerading.asciidoc | 25 +- ...fa-bombing-via-push-notifications.asciidoc | 28 ++- ...owershell-invoke-ninjacopy-script.asciidoc | 23 +- .../powershell-kerberos-ticket-dump.asciidoc | 48 +++- ...owershell-kerberos-ticket-request.asciidoc | 46 +++- .../powershell-keylogging-script.asciidoc | 48 +++- ...ershell-mailbox-collection-script.asciidoc | 48 +++- .../powershell-minidump-script.asciidoc | 48 +++- .../powershell-psreflect-script.asciidoc | 51 +++- ...ell-script-block-logging-disabled.asciidoc | 27 ++- ...-archive-compression-capabilities.asciidoc | 20 ++ ...cript-with-discovery-capabilities.asciidoc | 33 ++- ...ncryption-decryption-capabilities.asciidoc | 23 +- ...cript-with-log-clear-capabilities.asciidoc | 25 +- ...ord-policy-discovery-capabilities.asciidoc | 26 ++- ...-execution-capabilities-via-winrm.asciidoc | 26 ++- ...-token-impersonation-capabilities.asciidoc | 49 +++- ...webcam-video-capture-capabilities.asciidoc | 20 ++ ...wershell-share-enumeration-script.asciidoc | 45 +++- ...ery-related-windows-api-functions.asciidoc | 48 +++- ...us-payload-encoded-and-compressed.asciidoc | 50 +++- ...t-with-audio-capture-capabilities.asciidoc | 48 +++- ...-clipboard-retrieval-capabilities.asciidoc | 48 +++- ...ript-with-screenshot-capabilities.asciidoc | 48 +++- ...tion-via-named-pipe-impersonation.asciidoc | 36 ++- ...ia-rogue-named-pipe-impersonation.asciidoc | 14 ++ ...ia-root-crontab-file-modification.asciidoc | 35 +++ .../privileged-account-brute-force.asciidoc | 38 ++- ...s-activity-via-compiled-html-file.asciidoc | 36 ++- ...s-created-with-a-duplicated-token.asciidoc | 9 +- ...cess-creation-via-secondary-logon.asciidoc | 13 ++ ...ecution-from-an-unusual-directory.asciidoc | 40 +++- ...-started-from-process-id-pid-file.asciidoc | 46 +++- ...-termination-followed-by-deletion.asciidoc | 25 +- ...gram-files-directory-masquerading.asciidoc | 11 + ...pt-for-credentials-with-osascript.asciidoc | 35 +++ .../proxychains-activity.asciidoc | 31 ++- .../psexec-network-connection.asciidoc | 23 +- ...script-execution-via-command-line.asciidoc | 11 + .../rule-details/rare-aws-error-code.asciidoc | 34 ++- .../rule-details/rare-user-logon.asciidoc | 23 +- .../rdp-enabled-via-registry.asciidoc | 34 ++- ...istry-persistence-via-appcert-dll.asciidoc | 11 + ...istry-persistence-via-appinit-dll.asciidoc | 36 ++- ...bled-in-windows-firewall-by-netsh.asciidoc | 34 ++- .../remote-execution-via-file-shares.asciidoc | 25 +- ...emote-file-copy-to-a-hidden-share.asciidoc | 11 + .../remote-file-copy-via-teamviewer.asciidoc | 36 ++- ...oad-via-desktopimgdownldr-utility.asciidoc | 38 ++- ...remote-file-download-via-mpcmdrun.asciidoc | 38 ++- ...mote-file-download-via-powershell.asciidoc | 27 ++- ...e-download-via-script-interpreter.asciidoc | 25 +- ...e-scheduled-task-creation-via-rpc.asciidoc | 29 ++- .../remote-scheduled-task-creation.asciidoc | 29 ++- ...n-enabled-via-systemsetup-command.asciidoc | 35 +++ .../remote-system-discovery-commands.asciidoc | 35 ++- ...mote-xsl-script-execution-via-com.asciidoc | 3 +- ...remotely-started-services-via-rpc.asciidoc | 25 +- ...enamed-autoit-scripts-interpreter.asciidoc | 36 ++- ...-executed-with-short-program-name.asciidoc | 25 +- ...file-downloaded-from-the-internet.asciidoc | 7 +- ...-task-created-by-a-windows-script.asciidoc | 7 +- ...d-task-execution-at-scale-via-gpo.asciidoc | 60 ++++- ...cheduled-tasks-at-command-enabled.asciidoc | 11 + ...le-modified-by-unexpected-process.asciidoc | 42 +++- ...or-saved-credentials-via-vaultcmd.asciidoc | 11 + ...ity-software-discovery-using-wmic.asciidoc | 35 ++- ...urity-software-discovery-via-grep.asciidoc | 35 ++- ...e-enabled-by-a-suspicious-process.asciidoc | 20 ++ .../rule-details/segfault-detected.asciidoc | 36 +++ .../sensitive-files-compression.asciidoc | 53 +++++ ...ationprivilege-assigned-to-a-user.asciidoc | 45 +++- ...ol-spawned-via-script-interpreter.asciidoc | 25 +- ...isabled-via-registry-modification.asciidoc | 3 +- ...vice-path-modification-via-sc-exe.asciidoc | 6 +- ...tcap-setuid-setgid-capability-set.asciidoc | 62 ++++- ...ged-by-previously-unknown-process.asciidoc | 62 ++++- .../sharepoint-malware-file-upload.asciidoc | 8 +- ...ell-execution-via-apple-scripting.asciidoc | 35 +++ ...oxy-execution-via-ms-work-folders.asciidoc | 34 ++- ...reupdate-preferences-modification.asciidoc | 35 +++ ...s-disabling-services-via-registry.asciidoc | 11 + .../spike-in-aws-error-messages.asciidoc | 34 ++- ...to-an-external-device-via-airdrop.asciidoc | 35 +++ ...-bytes-sent-to-an-external-device.asciidoc | 35 +++ .../spike-in-failed-logon-events.asciidoc | 23 +- ...e-in-network-traffic-to-a-country.asciidoc | 23 +- ...connections-made-from-a-source-ip.asciidoc | 36 +++ ...nections-made-to-a-destination-ip.asciidoc | 36 +++ ...er-of-processes-in-an-rdp-session.asciidoc | 36 +++ .../spike-in-remote-file-transfers.asciidoc | 35 +++ ...ful-logon-events-from-a-source-ip.asciidoc | 23 +- ...-persistence-via-unsigned-process.asciidoc | 29 ++- ...ript-added-to-group-policy-object.asciidoc | 60 ++++- ...-or-run-key-registry-modification.asciidoc | 29 ++- ...rsistence-by-a-suspicious-process.asciidoc | 40 +++- ...n-to-okta-account-after-mfa-reset.asciidoc | 32 ++- ...r-application-script-modification.asciidoc | 35 +++ ...sudo-command-enumeration-detected.asciidoc | 35 +++ .../suid-sguid-enumeration-detected.asciidoc | 35 +++ ...urst-command-and-control-activity.asciidoc | 27 ++- ...us-activity-reported-by-okta-user.asciidoc | 8 +- ...us-antimalware-scan-interface-dll.asciidoc | 25 +- ...ous-apt-package-manager-execution.asciidoc | 35 +++ ...ackage-manager-network-connection.asciidoc | 35 +++ ...ous-automator-workflows-execution.asciidoc | 35 +++ .../suspicious-browser-child-process.asciidoc | 35 +++ ...icious-calendar-file-modification.asciidoc | 35 +++ .../suspicious-certutil-commands.asciidoc | 25 +- ...obe-acrobat-reader-update-service.asciidoc | 35 +++ .../suspicious-cmd-execution-via-wmi.asciidoc | 11 + ...s-communication-app-child-process.asciidoc | 47 +++- ...racted-or-decompressed-via-funzip.asciidoc | 35 +++ ...-crontab-creation-or-modification.asciidoc | 35 +++ ...ta-encryption-via-openssl-utility.asciidoc | 37 ++- ...rsistence-or-privilege-escalation.asciidoc | 34 ++- ...s-dynamic-linker-discovery-via-od.asciidoc | 35 +++ .../suspicious-emond-child-process.asciidoc | 35 +++ ...-endpoint-security-parent-process.asciidoc | 11 + ...s-execution-from-a-mounted-device.asciidoc | 11 + ...picious-execution-from-inet-cache.asciidoc | 82 +++++++ ...ious-execution-via-scheduled-task.asciidoc | 11 + ...suspicious-explorer-child-process.asciidoc | 11 + ...us-file-changes-activity-detected.asciidoc | 35 +++ ...e-creation-in-etc-for-persistence.asciidoc | 66 +++++- ...picious-file-creation-via-kworker.asciidoc | 70 +++++- ...s-hidden-child-process-of-launchd.asciidoc | 35 +++ .../suspicious-html-file-creation.asciidoc | 11 + ...-load-taskschd-dll-from-ms-office.asciidoc | 40 +++- .../suspicious-java-child-process.asciidoc | 35 ++- .../suspicious-kworker-uid-elevation.asciidoc | 36 +++ ...ious-lsass-access-via-malseclogon.asciidoc | 11 + .../suspicious-lsass-process-access.asciidoc | 10 + ...ous-macos-ms-office-child-process.asciidoc | 35 +++ ...ft-365-mail-access-by-clientappid.asciidoc | 8 +- ...soft-diagnostics-wizard-execution.asciidoc | 11 + ...ous-mining-process-creation-event.asciidoc | 35 +++ .../suspicious-modprobe-file-event.asciidoc | 28 ++- ...suspicious-module-loaded-by-lsass.asciidoc | 11 + ...uspicious-ms-office-child-process.asciidoc | 34 ++- ...spicious-ms-outlook-child-process.asciidoc | 34 ++- .../suspicious-net-code-compilation.asciidoc | 11 + ...ous-net-reflection-via-powershell.asciidoc | 50 +++- ...-by-previously-unknown-executable.asciidoc | 115 +++++++++- ...etwork-connection-via-sudo-binary.asciidoc | 35 +++ ...us-network-connection-via-systemd.asciidoc | 35 +++ ...spicious-passwd-file-event-action.asciidoc | 69 +++++- ...spicious-pdf-reader-child-process.asciidoc | 34 ++- ...able-encoded-in-powershell-script.asciidoc | 50 +++- ...cious-powershell-engine-imageload.asciidoc | 23 +- ...cious-print-spooler-file-deletion.asciidoc | 11 + ...us-print-spooler-spl-file-created.asciidoc | 36 ++- ...-service-executable-file-creation.asciidoc | 11 + .../suspicious-proc-maps-discovery.asciidoc | 35 +++ ...oc-pseudo-file-system-enumeration.asciidoc | 27 ++- ...ess-access-via-direct-system-call.asciidoc | 38 ++- ...icious-process-creation-calltrace.asciidoc | 23 +- ...ion-via-renamed-psexec-executable.asciidoc | 34 ++- ...rocess-spawned-from-motd-detected.asciidoc | 66 +++++- ...picious-rdp-activex-client-loaded.asciidoc | 11 + ...stry-access-via-sebackupprivilege.asciidoc | 54 ++++- ...suspicious-renaming-of-esxi-files.asciidoc | 35 +++ ...-renaming-of-esxi-index-html-file.asciidoc | 35 +++ ...rvice-was-installed-in-the-system.asciidoc | 25 +- ...spicious-solarwinds-child-process.asciidoc | 11 + ...startup-shell-folder-modification.asciidoc | 29 ++- .../suspicious-symbolic-link-created.asciidoc | 35 +++ .../suspicious-sysctl-file-event.asciidoc | 29 ++- ...-by-previously-unknown-executable.asciidoc | 35 +++ ...cious-termination-of-esxi-process.asciidoc | 35 +++ ...-utility-launched-via-proxychains.asciidoc | 78 +++++-- ...suspicious-werfault-child-process.asciidoc | 11 + ...process-cluster-spawned-by-a-host.asciidoc | 69 ++++++ ...uster-spawned-by-a-parent-process.asciidoc | 69 ++++++ ...process-cluster-spawned-by-a-user.asciidoc | 69 ++++++ ...ous-wmi-image-load-from-ms-office.asciidoc | 11 + .../suspicious-zoom-child-process.asciidoc | 25 +- .../svchost-spawning-cmd.asciidoc | 36 ++- ...bolic-link-to-shadow-copy-created.asciidoc | 56 ++++- ...-or-moved-to-suspicious-directory.asciidoc | 39 +++- ...scovery-via-windows-command-shell.asciidoc | 35 ++- .../system-log-file-deletion.asciidoc | 56 +++++ .../system-shells-via-services.asciidoc | 25 +- .../system-time-discovery.asciidoc | 8 +- ...systemkey-access-via-command-line.asciidoc | 35 +++ .../tainted-kernel-module-load.asciidoc | 31 +++ ...ed-out-of-tree-kernel-module-load.asciidoc | 33 +++ ...ring-of-bash-command-line-history.asciidoc | 11 + ...-via-mounted-apfs-snapshot-access.asciidoc | 35 +++ ...es-deleted-via-unexpected-process.asciidoc | 38 ++- ...threat-intel-hash-indicator-match.asciidoc | 37 ++- ...-intel-ip-address-indicator-match.asciidoc | 37 ++- .../threat-intel-url-indicator-match.asciidoc | 37 ++- ...-windows-registry-indicator-match.asciidoc | 37 ++- .../timestomping-using-touch-command.asciidoc | 11 + ...nternet-explorer-add-on-installer.asciidoc | 11 + ...eged-ifileoperation-com-interface.asciidoc | 11 + ...ia-windows-directory-masquerading.asciidoc | 38 ++- ...ademanager-elevated-com-interface.asciidoc | 11 + ...diskcleanup-scheduled-task-hijack.asciidoc | 11 + ...icmluautil-elevated-com-interface.asciidoc | 11 + ...a-windows-firewall-snap-in-hijack.asciidoc | 38 ++- ...rom-previously-unknown-executable.asciidoc | 38 +++ ...zed-access-to-an-okta-application.asciidoc | 8 +- ...ocess-of-macos-screensaver-engine.asciidoc | 42 +++- ...-loading-from-a-suspicious-folder.asciidoc | 11 + .../untrusted-driver-loaded.asciidoc | 29 ++- .../unusual-aws-command-for-a-user.asciidoc | 34 ++- ...ess-from-a-system-virtual-process.asciidoc | 11 + .../unusual-child-process-of-dns-exe.asciidoc | 34 ++- ...usual-child-processes-of-rundll32.asciidoc | 29 ++- .../unusual-city-for-an-aws-command.asciidoc | 34 ++- ...nusual-country-for-an-aws-command.asciidoc | 34 ++- ...tion-by-a-system-critical-process.asciidoc | 36 ++- ...le-creation-alternate-data-stream.asciidoc | 36 ++- ...sual-file-modification-by-dns-exe.asciidoc | 22 +- .../unusual-hour-for-a-user-to-logon.asciidoc | 23 +- .../unusual-linux-network-activity.asciidoc | 11 +- .../unusual-linux-username.asciidoc | 11 +- ...vity-from-a-windows-system-binary.asciidoc | 25 +- ...l-network-connection-via-rundll32.asciidoc | 23 +- ...unusual-parent-child-relationship.asciidoc | 36 ++- ...nusual-parent-process-for-cmd-exe.asciidoc | 11 + ...usual-print-spooler-child-process.asciidoc | 11 + ...cution-path-alternate-data-stream.asciidoc | 11 + .../unusual-process-extension.asciidoc | 8 +- .../unusual-process-for-a-linux-host.asciidoc | 23 +- ...nusual-process-for-a-windows-host.asciidoc | 29 ++- ...rocess-for-mssql-service-accounts.asciidoc | 24 +- ...nusual-process-network-connection.asciidoc | 23 +- ...unusual-process-spawned-by-a-host.asciidoc | 69 ++++++ ...ocess-spawned-by-a-parent-process.asciidoc | 69 ++++++ ...unusual-process-spawned-by-a-user.asciidoc | 69 ++++++ ...riting-data-to-an-external-device.asciidoc | 35 +++ .../unusual-remote-file-directory.asciidoc | 35 +++ .../unusual-remote-file-extension.asciidoc | 35 +++ .../unusual-remote-file-size.asciidoc | 35 +++ ...t-child-process-childless-service.asciidoc | 11 + ...al-time-or-day-for-an-rdp-session.asciidoc | 36 +++ ...user-privilege-enumeration-via-id.asciidoc | 35 +++ .../unusual-windows-network-activity.asciidoc | 11 +- .../unusual-windows-remote-user.asciidoc | 11 +- .../unusual-windows-username.asciidoc | 11 +- .../user-account-creation.asciidoc | 38 ++- ...-account-exposed-to-kerberoasting.asciidoc | 51 +++- ...ed-as-owner-for-azure-application.asciidoc | 8 +- ...owner-for-azure-service-principal.asciidoc | 8 +- .../user-added-to-privileged-group.asciidoc | 34 ++- ...l-machine-fingerprinting-via-grep.asciidoc | 11 + .../virtual-machine-fingerprinting.asciidoc | 51 ++++ ...rivate-network-connection-attempt.asciidoc | 35 +++ ...y-deleted-or-resized-via-vssadmin.asciidoc | 38 ++- ...adow-copy-deletion-via-powershell.asciidoc | 38 ++- ...ume-shadow-copy-deletion-via-wmic.asciidoc | 38 ++- ...ess-child-of-common-web-processes.asciidoc | 34 ++- .../webproxy-settings-modification.asciidoc | 35 +++ .../webserver-access-logs-deleted.asciidoc | 11 + .../whoami-process-activity.asciidoc | 38 ++- ...isabled-via-registry-modification.asciidoc | 38 ++- ...r-exclusions-added-via-powershell.asciidoc | 40 +++- .../windows-event-logs-cleared.asciidoc | 23 +- ...-firewall-disabled-via-powershell.asciidoc | 34 ++- .../windows-network-enumeration.asciidoc | 35 ++- ...gistry-file-creation-in-smb-share.asciidoc | 27 ++- ...ndows-script-executing-powershell.asciidoc | 34 ++- ...e-installed-via-an-unusual-client.asciidoc | 19 ++ ...-for-linux-distribution-installed.asciidoc | 27 ++- ...or-linux-enabled-via-dism-utility.asciidoc | 27 ++- ...ntial-dumping-using-netsh-command.asciidoc | 25 +- .../rule-details/wmic-remote-command.asciidoc | 5 +- ...access-on-active-directory-object.asciidoc | 18 ++ .../zoom-meeting-with-no-passcode.asciidoc | 6 + docs/index.asciidoc | 2 + 861 files changed, 23970 insertions(+), 3823 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-attempt-to-clear-kernel-ring-buffer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-attempt-to-disable-iptables-or-firewall.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-base16-or-base32-encoding-decoding-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-creation-of-hidden-files-and-directories-via-commandline.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-creation-of-hidden-shared-object-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-esxi-timestomping-using-touch-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-execution-from-a-removable-media-with-network-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-file-deletion-via-shred.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-file-permission-modification-in-writable-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-first-time-seen-newcredentials-logon-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-interactive-logon-by-an-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-kernel-driver-load-by-non-root-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-kernel-module-removal.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-linux-init-pid-1-secret-dump-via-gdb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-network-activity-detected-via-cat.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-defense-evasion-via-proot.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-disabling-of-apparmor.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-disabling-of-selinux.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-hidden-process-via-mount-hidepid.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-proc-filesystem.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-unshadow.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-local-account-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-tunneling-and-or-port-forwarding.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-masquerading-as-business-app-installer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-meterpreter-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-pspy-process-monitoring-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-remote-file-execution-via-msiexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-reverse-shell-via-udp.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-process-created-with-a-duplicated-token.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-remote-xsl-script-execution-via-com.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-antimalware-scan-interface-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-execution-from-inet-cache.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-passwd-file-event-action.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-utility-launched-via-proxychains.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rules-8-10-12-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rules-8-10-12-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-from-inet-cache.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-attempt-to-clear-kernel-ring-buffer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-attempt-to-clear-kernel-ring-buffer.asciidoc new file mode 100644 index 0000000000..1fcf81aa14 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-attempt-to-clear-kernel-ring-buffer.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-10-12-attempt-to-clear-kernel-ring-buffer]] +=== Attempt to Clear Kernel Ring Buffer + +Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM). + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Auditd Manager + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and +event.type == "start" and process.name == "dmesg" and process.args : "-c" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Linux or Mac System Logs +** ID: T1070.002 +** Reference URL: https://attack.mitre.org/techniques/T1070/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-attempt-to-disable-iptables-or-firewall.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-attempt-to-disable-iptables-or-firewall.asciidoc new file mode 100644 index 0000000000..49ec68e6b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-attempt-to-disable-iptables-or-firewall.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-10-12-attempt-to-disable-iptables-or-firewall]] +=== Attempt to Disable IPTables or Firewall + +Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and + ( + /* disable FW */ + ( + (process.name == "ufw" and process.args == "disable") or + (process.name == "iptables" and process.args == "-F" and process.args_count == 2) + ) or + + /* stop FW service */ + ( + ((process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))) and + process.args in ("firewalld", "ip6tables", "iptables") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-base16-or-base32-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-base16-or-base32-encoding-decoding-activity.asciidoc new file mode 100644 index 0000000000..8b2ee643e3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-base16-or-base32-encoding-decoding-activity.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-10-12-base16-or-base32-encoding-decoding-activity]] +=== Base16 or Base32 Encoding/Decoding Activity + +Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Auditd Manager + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type in ("start", "process_started") and +process.name in ("base16", "base32", "base32plain", "base32hex") and not process.args in ("--help", "--version") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-creation-of-hidden-files-and-directories-via-commandline.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-creation-of-hidden-files-and-directories-via-commandline.asciidoc new file mode 100644 index 0000000000..56ec58c090 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-creation-of-hidden-files-and-directories-via-commandline.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-10-12-creation-of-hidden-files-and-directories-via-commandline]] +=== Creation of Hidden Files and Directories via CommandLine + +Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + +*Custom Ingest Pipeline* + +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html[guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and +process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and +not process.name in ("ls", "find", "grep", "git", "jq", "basename") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-creation-of-hidden-shared-object-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-creation-of-hidden-shared-object-file.asciidoc new file mode 100644 index 0000000000..4ef1c2b66a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-creation-of-hidden-shared-object-file.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-10-12-creation-of-hidden-shared-object-file]] +=== Creation of Hidden Shared Object File + +Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + +*Custom Ingest Pipeline* + +For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html[guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and +not process.name == "dockerd" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-esxi-timestomping-using-touch-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-esxi-timestomping-using-touch-command.asciidoc new file mode 100644 index 0000000000..7d9d44d06f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-esxi-timestomping-using-touch-command.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-10-12-esxi-timestomping-using-touch-command]] +=== ESXI Timestomping using Touch Command + +Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Auditd Manager + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed") +and process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Timestomp +** ID: T1070.006 +** Reference URL: https://attack.mitre.org/techniques/T1070/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-execution-from-a-removable-media-with-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-execution-from-a-removable-media-with-network-connection.asciidoc new file mode 100644 index 0000000000..0b6000c73e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-execution-from-a-removable-media-with-network-connection.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-12-execution-from-a-removable-media-with-network-connection]] +=== Execution from a Removable Media with Network Connection + +Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.action == "start" and + + /* Direct Exec from USB */ + (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and + (process.code_signature.trusted == false or process.code_signature.exists == false) and + + not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")] + [network where host.os.type == "windows" and event.action == "connection_attempted"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Replication Through Removable Media +** ID: T1091 +** Reference URL: https://attack.mitre.org/techniques/T1091/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-file-deletion-via-shred.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-file-deletion-via-shred.asciidoc new file mode 100644 index 0000000000..5e41f754ee --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-file-deletion-via-shred.asciidoc @@ -0,0 +1,102 @@ +[[prebuilt-rule-8-10-12-file-deletion-via-shred]] +=== File Deletion via Shred + +Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and process.name == "shred" and process.args in ( + "-u", "--remove", "-z", "--zero" +) and not process.parent.name == "logrotate" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-file-permission-modification-in-writable-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-file-permission-modification-in-writable-directory.asciidoc new file mode 100644 index 0000000000..527042c8a4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-file-permission-modification-in-writable-directory.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-10-12-file-permission-modification-in-writable-directory]] +=== File Permission Modification in Writable Directory + +Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:process and event.type:start and +process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and +not process.parent.name:(apt-key or update-motd-updates-available) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-first-time-seen-newcredentials-logon-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-first-time-seen-newcredentials-logon-process.asciidoc new file mode 100644 index 0000000000..aad6757092 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-first-time-seen-newcredentials-logon-process.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-12-first-time-seen-newcredentials-logon-process]] +=== First Time Seen NewCredentials Logon Process + +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\Program?Files* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Token Impersonation/Theft +** ID: T1134.001 +** Reference URL: https://attack.mitre.org/techniques/T1134/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-interactive-logon-by-an-unusual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-interactive-logon-by-an-unusual-process.asciidoc new file mode 100644 index 0000000000..3ad2f99ec0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-interactive-logon-by-an-unusual-process.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-10-12-interactive-logon-by-an-unusual-process]] +=== Interactive Logon by an Unusual Process + +Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1134/002/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +Audit event 4624 is needed to trigger this rule. + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, +events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2. +Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate +`event.ingested` to @timestamp. +For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html + + +==== Rule query + + +[source, js] +---------------------------------- +authentication where + host.os.type : "windows" and winlog.event_data.LogonProcessName : "Advapi*" and + winlog.logon.type == "Interactive" and winlog.event_data.SubjectUserSid : ("S-1-5-21*", "S-1-12-*") and + winlog.event_data.TargetUserSid : ("S-1-5-21*", "S-1-12-*") and process.executable : "C:\\*" and + not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and + not process.executable : + ("?:\\Windows\\System32\\winlogon.exe", + "?:\\Windows\\System32\\wininit.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\SysWOW64\\inetsrv\\w3wp.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Create Process with Token +** ID: T1134.002 +** Reference URL: https://attack.mitre.org/techniques/T1134/002/ +* Sub-technique: +** Name: Make and Impersonate Token +** ID: T1134.003 +** Reference URL: https://attack.mitre.org/techniques/T1134/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-kernel-driver-load-by-non-root-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-kernel-driver-load-by-non-root-user.asciidoc new file mode 100644 index 0000000000..e151c451c0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-kernel-driver-load-by-non-root-user.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-8-10-12-kernel-driver-load-by-non-root-user]] +=== Kernel Driver Load by non-root User + +Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager. + +*Rule type*: eql + +*Rule indices*: + +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Data Source: Auditd Manager +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Auditd Manager. + + +*Auditd Manager Integration Setup* + +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + + +*The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:* + +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the https://docs.elastic.co/integrations/auditd_manager[helper guide]. + + +*Rule Specific Setup Note* + +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule the following additional audit rules are required to be added to the integration: + -- "-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules" + -- "-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules" + + + +==== Rule query + + +[source, js] +---------------------------------- +driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and +auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-kernel-module-removal.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-kernel-module-removal.asciidoc new file mode 100644 index 0000000000..90c6e14ee7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-kernel-module-removal.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-10-12-kernel-module-removal]] +=== Kernel Module Removal + +Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://man7.org/linux/man-pages/man8/modprobe.8.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name == "rmmod" or (process.name == "modprobe" and process.args in ("--remove", "-r")) and +process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-linux-init-pid-1-secret-dump-via-gdb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-linux-init-pid-1-secret-dump-via-gdb.asciidoc new file mode 100644 index 0000000000..7eba59959b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-linux-init-pid-1-secret-dump-via-gdb.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-10-12-linux-init-pid-1-secret-dump-via-gdb]] +=== Linux init (PID 1) Secret Dump via GDB + +This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/controlplaneio/truffleproc +* https://github.com/hajzer/bash-memory-dump + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Proc Filesystem +** ID: T1003.007 +** Reference URL: https://attack.mitre.org/techniques/T1003/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-network-activity-detected-via-cat.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-network-activity-detected-via-cat.asciidoc new file mode 100644 index 0000000000..18991b1870 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-network-activity-detected-via-cat.asciidoc @@ -0,0 +1,181 @@ +[[prebuilt-rule-8-10-12-network-activity-detected-via-cat]] +=== Network Activity Detected via cat + +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Network Activity Detected via cat* + + +Attackers may leverage the `cat` utility in conjunction with a listener to read all bytes of a file, and output the content to a `/dev/tcp` or `/dev/udp` channel to transfer/exfiltrate file contents to a remote system. + +This rule looks for a sequence of a `cat` execution event followed by a network connection attempt by the same `cat` process. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible investigation steps* + + +- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} + - !{osquery{"label":"Osquery - Retrieve Process Info","query":"SELECT name, cmdline, parent, path, uid FROM processes"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + + +*Related rules* + + +- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b + + +*False positive analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "cat" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and + process.name == "cat" and not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch( + destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", + "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", + "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", + "FF00::/8" + ) + )] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-defense-evasion-via-proot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-defense-evasion-via-proot.asciidoc new file mode 100644 index 0000000000..828d4807cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-defense-evasion-via-proot.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-10-12-potential-defense-evasion-via-proot]] +=== Potential Defense Evasion via PRoot + +Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://proot-me.github.io/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and process.parent.name == "proot" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Exploitation for Defense Evasion +** ID: T1211 +** Reference URL: https://attack.mitre.org/techniques/T1211/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-disabling-of-apparmor.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-disabling-of-apparmor.asciidoc new file mode 100644 index 0000000000..e695da2b3f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-disabling-of-apparmor.asciidoc @@ -0,0 +1,107 @@ +[[prebuilt-rule-8-10-12-potential-disabling-of-apparmor]] +=== Potential Disabling of AppArmor + +This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Auditd Manager + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and event.type == "start" +and ( + (process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or + (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-disabling-of-selinux.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-disabling-of-selinux.asciidoc new file mode 100644 index 0000000000..321066537a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-disabling-of-selinux.asciidoc @@ -0,0 +1,120 @@ +[[prebuilt-rule-8-10-12-potential-disabling-of-selinux]] +=== Potential Disabling of SELinux + +Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Auditd Manager + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type in ("start", "process_started") and +process.name == "setenforce" and process.args == "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-hidden-process-via-mount-hidepid.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-hidden-process-via-mount-hidepid.asciidoc new file mode 100644 index 0000000000..3d3fc14127 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-hidden-process-via-mount-hidepid.asciidoc @@ -0,0 +1,102 @@ +[[prebuilt-rule-8-10-12-potential-hidden-process-via-mount-hidepid]] +=== Potential Hidden Process via Mount Hidepid + +Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend +* Data Source: Auditd Manager + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and event.type == "start" +and process.name == "mount" and process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-proc-filesystem.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-proc-filesystem.asciidoc new file mode 100644 index 0000000000..958d3dbb8d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-proc-filesystem.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-proc-filesystem]] +=== Potential Linux Credential Dumping via Proc Filesystem + +Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/huntergregal/mimipenguin +* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.name with maxspan=1m + [process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" + and process.args in ("-eo", "pid", "command")] + [process where host.os.type == "linux" and process.name == "strings" and event.action == "exec" + and process.args : "/tmp/*"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Proc Filesystem +** ID: T1003.007 +** Reference URL: https://attack.mitre.org/techniques/T1003/007/ +* Technique: +** Name: Exploitation for Credential Access +** ID: T1212 +** Reference URL: https://attack.mitre.org/techniques/T1212/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-unshadow.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-unshadow.asciidoc new file mode 100644 index 0000000000..29b6e1f77a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-unshadow.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-unshadow]] +=== Potential Linux Credential Dumping via Unshadow + +Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.name == "unshadow" and process.args_count >= 3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-local-account-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-local-account-brute-force-detected.asciidoc new file mode 100644 index 0000000000..3e0fd2330c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-local-account-brute-force-detected.asciidoc @@ -0,0 +1,104 @@ +[[prebuilt-rule-8-10-12-potential-linux-local-account-brute-force-detected]] +=== Potential Linux Local Account Brute Force Detected + +Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.executable, user.id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and + not process.parent.name in ( + "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server", "ma", "gitlab-runner", + "updatedb.findutils", "cron" + ) + ] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-tunneling-and-or-port-forwarding.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-tunneling-and-or-port-forwarding.asciidoc new file mode 100644 index 0000000000..1616e38a7a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-linux-tunneling-and-or-port-forwarding.asciidoc @@ -0,0 +1,193 @@ +[[prebuilt-rule-8-10-12-potential-linux-tunneling-and-or-port-forwarding]] +=== Potential Linux Tunneling and/or Port Forwarding + +This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform +* https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Potential Linux Tunneling and/or Port Forwarding* + + +Attackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems. + +This rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible investigation steps* + + +- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} + - !{osquery{"label":"Osquery - Retrieve Process Info","query":"SELECT name, cmdline, parent, path, uid FROM processes"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + + +*Related rules* + + +- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd +- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f +- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769 +- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4 +- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37 + + +*False positive analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +event.type == "start" and ( + ( + // gost & pivotnacci - spawned without process.parent.name + (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( + // ssh + (process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4 and + not process.args : "chmod")) or + // sshuttle + (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or + // socat + (process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or + // chisel + (process.name : "chisel*" and process.args in ("client", "server")) or + // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok + (process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) + ) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-masquerading-as-business-app-installer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-masquerading-as-business-app-installer.asciidoc new file mode 100644 index 0000000000..8fdd55c35e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-masquerading-as-business-app-installer.asciidoc @@ -0,0 +1,217 @@ +[[prebuilt-rule-8-10-12-potential-masquerading-as-business-app-installer]] +=== Potential Masquerading as Business App Installer + +Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers + +*Tags*: + +* Domain: Endpoint +* Data Source: Elastic Defend +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Initial Access +* Tactic: Execution + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and + event.type == "start" and process.executable : "?:\\Users\\*\\Downloads\\*" and + not process.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and + ( + /* Slack */ + (process.name : "*slack*.exe" and not + (process.code_signature.subject_name in ( + "Slack Technologies, Inc.", + "Slack Technologies, LLC" + ) and process.code_signature.trusted == true) + ) or + + /* WebEx */ + (process.name : "*webex*.exe" and not + (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true) + ) or + + /* Teams */ + (process.name : "teams*.exe" and not + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Discord */ + (process.name : "*discord*.exe" and not + (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true) + ) or + + /* WhatsApp */ + (process.name : "*whatsapp*.exe" and not + (process.code_signature.subject_name in ( + "WhatsApp LLC", + "WhatsApp, Inc", + "24803D75-212C-471A-BC57-9EF86AB91435" + ) and process.code_signature.trusted == true) + ) or + + /* Zoom */ + (process.name : ("*zoom*installer*.exe", "*zoom*setup*.exe", "zoom.exe") and not + (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true) + ) or + + /* Outlook */ + (process.name : "*outlook*.exe" and not + ( + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) or + ( + process.name: "MSOutlookHelp-PST-Viewer.exe" and process.code_signature.subject_name == "Aryson Technologies Pvt. Ltd" and + process.code_signature.trusted == true + ) + ) + ) or + + /* Thunderbird */ + (process.name : "*thunderbird*.exe" and not + (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true) + ) or + + /* Grammarly */ + (process.name : "*grammarly*.exe" and not + (process.code_signature.subject_name == "Grammarly, Inc." and process.code_signature.trusted == true) + ) or + + /* Dropbox */ + (process.name : "*dropbox*.exe" and not + (process.code_signature.subject_name == "Dropbox, Inc" and process.code_signature.trusted == true) + ) or + + /* Tableau */ + (process.name : "*tableau*.exe" and not + (process.code_signature.subject_name == "Tableau Software LLC" and process.code_signature.trusted == true) + ) or + + /* Google Drive */ + (process.name : "*googledrive*.exe" and not + (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true) + ) or + + /* MSOffice */ + (process.name : "*office*setup*.exe" and not + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Okta */ + (process.name : "*okta*.exe" and not + (process.code_signature.subject_name == "Okta, Inc." and process.code_signature.trusted == true) + ) or + + /* OneDrive */ + (process.name : "*onedrive*.exe" and not + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Chrome */ + (process.name : "*chrome*.exe" and not + (process.code_signature.subject_name in ("Google LLC", "Google Inc") and process.code_signature.trusted == true) + ) or + + /* Firefox */ + (process.name : "*firefox*.exe" and not + (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true) + ) or + + /* Edge */ + (process.name : ("*microsoftedge*.exe", "*msedge*.exe") and not + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Brave */ + (process.name : "*brave*.exe" and not + (process.code_signature.subject_name == "Brave Software, Inc." and process.code_signature.trusted == true) + ) or + + /* GoogleCloud Related Tools */ + (process.name : "*GoogleCloud*.exe" and not + (process.code_signature.subject_name == "Google LLC" and process.code_signature.trusted == true) + ) or + + /* Github Related Tools */ + (process.name : "*github*.exe" and not + (process.code_signature.subject_name == "GitHub, Inc." and process.code_signature.trusted == true) + ) or + + /* Notion */ + (process.name : "*notion*.exe" and not + (process.code_signature.subject_name == "Notion Labs, Inc." and process.code_signature.trusted == true) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Drive-by Compromise +** ID: T1189 +** Reference URL: https://attack.mitre.org/techniques/T1189/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-meterpreter-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-meterpreter-reverse-shell.asciidoc new file mode 100644 index 0000000000..2d18ece4ca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-meterpreter-reverse-shell.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-10-12-potential-meterpreter-reverse-shell]] +=== Potential Meterpreter Reverse Shell + +This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Data Source: Auditd Manager +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + +*Auditd Manager Integration Setup* + +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + + +*The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:* + +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the https://docs.elastic.co/integrations/auditd_manager[helper guide]. + + +*Rule Specific Setup Note* + +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule the following additional audit rules are required to be added to the integration: + -w /proc/net/ -p r -k audit_proc + -w /etc/machine-id -p wa -k machineid + -w /etc/passwd -p wa -k passwd + + + +==== Rule query + + +[source, js] +---------------------------------- +sample by host.id, process.pid, user.id + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/passwd"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/route"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/ipv6_route"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-pspy-process-monitoring-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-pspy-process-monitoring-detected.asciidoc new file mode 100644 index 0000000000..9e6cd4281f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-pspy-process-monitoring-detected.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-10-12-potential-pspy-process-monitoring-detected]] +=== Potential Pspy Process Monitoring Detected + +This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. + +*Rule type*: eql + +*Rule indices*: + +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/DominicBreuker/pspy + +*Tags*: + +* Data Source: Auditd Manager +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Auditd Manager. + + +*Auditd Manager Integration Setup* + +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + + +*The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:* + +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the https://docs.elastic.co/integrations/auditd_manager[helper guide]. + + +*Rule Specific Setup Note* + +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule the following additional audit rules are required to be added to the integration: + -- "-w /proc/ -p r -k audit_proc" + + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.pid, host.id with maxspan=5s + [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and + auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") ] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-remote-file-execution-via-msiexec.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-remote-file-execution-via-msiexec.asciidoc new file mode 100644 index 0000000000..19cb6088b7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-remote-file-execution-via-msiexec.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-10-12-potential-remote-file-execution-via-msiexec]] +=== Potential Remote File Execution via MSIEXEC + +Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [process where host.os.type == "windows" and event.action == "start" and + process.name : "msiexec.exe" and process.args : "/V"] by process.entity_id + [network where host.os.type == "windows" and process.name : "msiexec.exe" and + event.action == "connection_attempted"] by process.entity_id + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : "msiexec.exe" and user.id : ("S-1-5-21-*", "S-1-5-12-1-*") and + not process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\srtasks.exe", + "?:\\Windows\\SysWOW64\\srtasks.exe", + "?:\\Windows\\System32\\taskkill.exe", + "?:\\Windows\\Installer\\MSI*.tmp", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\ie4uinit.exe", + "?:\\Windows\\SysWOW64\\ie4uinit.exe", + "?:\\Windows\\System32\\sc.exe", + "?:\\Windows\\system32\\Wbem\\mofcomp.exe", + "?:\\Windows\\twain_32\\fjscan32\\SOP\\crtdmprc.exe", + "?:\\Windows\\SysWOW64\\taskkill.exe", + "?:\\Windows\\SysWOW64\\schtasks.exe", + "?:\\Windows\\system32\\schtasks.exe", + "?:\\Windows\\System32\\sdbinst.exe") and + not (process.code_signature.subject_name == "Citrix Systems, Inc." and process.code_signature.trusted == true) and + not (process.name : ("regsvr32.exe", "powershell.exe", "rundll32.exe", "wscript.exe") and + process.Ext.token.integrity_level_name == "high" and + process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and + not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and process.code_signature.trusted == true) and + not (process.name : "rundll32.exe" and process.args : "printui.dll,PrintUIEntry") + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Msiexec +** ID: T1218.007 +** Reference URL: https://attack.mitre.org/techniques/T1218/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-reverse-shell-via-udp.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-reverse-shell-via-udp.asciidoc new file mode 100644 index 0000000000..3dc99303f1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-reverse-shell-via-udp.asciidoc @@ -0,0 +1,139 @@ +[[prebuilt-rule-8-10-12-potential-reverse-shell-via-udp]] +=== Potential Reverse Shell via UDP + +This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Data Source: Auditd Manager +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + +*Auditd Manager Integration Setup* + +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + + +*The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:* + +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the https://docs.elastic.co/integrations/auditd_manager[helper guide]. + + +*Rule Specific Setup Note* + +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required to be added to the integration. + + + +==== Rule query + + +[source, js] +---------------------------------- +sample by host.id, process.pid, process.parent.pid + [process where host.os.type == "linux" and auditd.data.syscall == "execve" and process.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", + "ruby", "openssl", "awk", "telnet", "lua*", "socat" + ) + ] + [process where host.os.type == "linux" and auditd.data.syscall == "socket" and process.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", + "ruby", "openssl", "awk", "telnet", "lua*", "socat" + ) and + auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")] +[network where host.os.type == "linux" and auditd.data.syscall == "connect" and process.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", + "ruby", "openssl", "awk", "telnet", "lua*", "socat" + ) and + network.direction == "egress" and destination.ip != null and destination.ip != "127.0.0.1" and + destination.ip != "127.0.0.53" and destination.ip != "::1"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc new file mode 100644 index 0000000000..8b4d03436f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-10-12-potential-successful-linux-ftp-brute-force-attack-detected]] +=== Potential Successful Linux FTP Brute Force Attack Detected + +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Data Source: Auditd Manager +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + +*Auditd Manager Integration Setup* + +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + + +*The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:* + +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the https://docs.elastic.co/integrations/auditd_manager[helper guide]. + + +*Rule Specific Setup Note* + +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required to be added to the integration. + + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, auditd.data.addr, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.action == "authenticated" and + auditd.data.terminal == "ftp" and event.outcome == "failure" and auditd.data.addr != null and + auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10 + [authentication where host.os.type == "linux" and event.action == "authenticated" and + auditd.data.terminal == "ftp" and event.outcome == "success" and auditd.data.addr != null and + auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc new file mode 100644 index 0000000000..c34a071cd0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-10-12-potential-successful-linux-rdp-brute-force-attack-detected]] +=== Potential Successful Linux RDP Brute Force Attack Detected + +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Data Source: Auditd Manager +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager + + +*Auditbeat Setup* + +Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. + + +*The following steps should be executed in order to add the Auditbeat on a Linux System:* + +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html[helper guide]. +- To run Auditbeat on Docker follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html[helper guide]. +- To run Auditbeat on Kubernetes follow the setup instructions in the https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html[helper guide]. +- For complete “Setup and Run Auditbeat” information refer to the https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html[helper guide]. + + +*Auditd Manager Integration Setup* + +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + + +*The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:* + +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the https://docs.elastic.co/integrations/auditd_manager[helper guide]. + + +*Rule Specific Setup Note* + +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required to be added to the integration. + + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.action == "authenticated" and + auditd.data.terminal : "*rdp*" and event.outcome == "failure"] with runs=10 + [authentication where host.os.type == "linux" and event.action == "authenticated" and + auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-process-created-with-a-duplicated-token.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-process-created-with-a-duplicated-token.asciidoc new file mode 100644 index 0000000000..176ce789da --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-process-created-with-a-duplicated-token.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-10-12-process-created-with-a-duplicated-token]] +=== Process Created with a Duplicated Token + +Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new process with a different token to escalate privileges and bypass access controls. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* This rule is only compatible with Elastic Endpoint 8.4+ */ + +process where host.os.type == "windows" and event.action == "start" and + + user.id : ("S-1-5-21-*", "S-1-12-1-*") and + + (process.Ext.effective_parent.executable regex~ """[C-Z]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9\-\_\.]+\.exe""" or + process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe") and + + ( + process.name : ("powershell.exe", "cmd.exe", "rundll32.exe", "notepad.exe", "net.exe", "ntdsutil.exe", + "tasklist.exe", "reg.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "esentutl.exe") or + + ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and + not process.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and + not process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) + ) and + not (process.name : "rundll32.exe" and + process.command_line : ("*davclnt.dll,DavSetCookie*", "*?:\\Program Files*", + "*\\Windows\\System32\\winethc.dll*", "*\\Windows\\SYSTEM32\\EDGEHTML.dll*", + "*shell32.dll,SHCreateLocalServerRunDll*")) and + not startswith~(process.Ext.effective_parent.name, process.parent.name) and + not (process.name : "powershell.exe" and process.parent.name : "wmiprvse.exe" and process.Ext.effective_parent.executable : "?:\\Windows\\System32\\wsmprovhost.exe") and + not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\RuntimeBroker.exe" and process.parent.executable : "?:\\Windows\\System32\\sihost.exe") and + not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\sethc.exe" and process.parent.executable : "?:\\Windows\\System32\\svchost.exe") and + not (process.Ext.effective_parent.executable : "?:\\Windows\\explorer.exe" and + process.parent.executable : ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\msiexec.exe", "?:\\Windows\\twain_32\\*.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Token Impersonation/Theft +** ID: T1134.001 +** Reference URL: https://attack.mitre.org/techniques/T1134/001/ +* Sub-technique: +** Name: Create Process with Token +** ID: T1134.002 +** Reference URL: https://attack.mitre.org/techniques/T1134/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-remote-xsl-script-execution-via-com.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-remote-xsl-script-execution-via-com.asciidoc new file mode 100644 index 0000000000..77a4f17986 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-remote-xsl-script-execution-via-com.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-10-12-remote-xsl-script-execution-via-com]] +=== Remote XSL Script Execution via COM + +Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [library where host.os.type == "windows" and dll.name : "msxml3.dll" and + process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id + [process where host.os.type == "windows" and event.action == "start" and + process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and + not process.executable : + ("?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWoW64\\WerFault.exe", + "?:\\windows\\splwow64.exe", + "?:\\Windows\\System32\\conhost.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: XSL Script Processing +** ID: T1220 +** Reference URL: https://attack.mitre.org/techniques/T1220/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-antimalware-scan-interface-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-antimalware-scan-interface-dll.asciidoc new file mode 100644 index 0000000000..1331e61182 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-antimalware-scan-interface-dll.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-10-12-suspicious-antimalware-scan-interface-dll]] +=== Suspicious Antimalware Scan Interface DLL + +Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Antimalware Scan Interface DLL* + + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell. + +Attackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + +*Possible investigation steps* + + +- Identify the process that created the DLL and which account was used. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Investigate other processes launched from the directory that the DLL was created. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe: + - Observe and collect information about the following activities in the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + + +*False positive analysis* + + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and file.path != null and + file.name : ("amsi.dll", "amsi") and not file.path : ("?:\\Windows\\system32\\amsi.dll", "?:\\Windows\\Syswow64\\amsi.dll", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSXS\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\servicing\\LCU\\*", "?:\\$WINDOWS.~BT\\Work\\*\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-execution-from-inet-cache.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-execution-from-inet-cache.asciidoc new file mode 100644 index 0000000000..bd93e8952f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-execution-from-inet-cache.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-10-12-suspicious-execution-from-inet-cache]] +=== Suspicious Execution from INET Cache + +Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.security* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Command and Control +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("explorer.exe", "winrar.exe", "7zFM.exe", "Bandizip.exe") and + (process.args : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*" or + process.executable : "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-passwd-file-event-action.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-passwd-file-event-action.asciidoc new file mode 100644 index 0000000000..bea698551d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-passwd-file-event-action.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-8-10-12-suspicious-passwd-file-event-action]] +=== Suspicious Passwd File Event Action + +Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the "/etc/passwd" file. The "/etc/passwd" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the "/etc/passwd" file permissions or other privileges to add a new entry to the "/etc/passwd" file with root permissions, and leverage this new user account to login as root. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Data Source: Auditd Manager +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend and Auditd Manager. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows +the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +*Auditd Manager Integration Setup* + +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + + +*The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:* + +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the https://docs.elastic.co/integrations/auditd_manager[helper guide]. + + +*Rule Specific Setup Note* + +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule the following additional audit rules are required to be added to the integration: + -- "-w /etc/passwd -p wa -k etcpasswd" + + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.pid with maxspan=1m + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.name == "openssl" and process.args == "passwd" and user.id != "0"] + [file where host.os.type == "linux" and file.path == "/etc/passwd" and process.parent.pid != 1 and + not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-utility-launched-via-proxychains.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-utility-launched-via-proxychains.asciidoc new file mode 100644 index 0000000000..90488c641f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-suspicious-utility-launched-via-proxychains.asciidoc @@ -0,0 +1,183 @@ +[[prebuilt-rule-8-10-12-suspicious-utility-launched-via-proxychains]] +=== Suspicious Utility Launched via ProxyChains + +This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend +* Data Source: Elastic Endgame +* Data Source: Auditd Manager + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and analysis* + + + +*Investigating Suspicious Utility Launched via ProxyChains* + + +Attackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers. + +This rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. + +> **Note**: +> This investigation guide uses the https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html[Osquery Markdown Plugin] introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html[placeholder fields] to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + + +*Possible investigation steps* + + +- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} + - !{osquery{"label":"Osquery - Retrieve Process Info","query":"SELECT name, cmdline, parent, path, uid FROM processes"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + + +*Related rules* + + +- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37 +- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd +- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f +- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e +- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769 + + +*False positive analysis* + + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + + +*Response and remediation* + + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +==== Setup + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed") and +event.type == "start" and process.name == "proxychains" and process.args : ( + "ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", + "ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby", + "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc new file mode 100644 index 0000000000..cda4181f41 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rule-8-10-12-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-10-12-system-binary-copied-and-or-moved-to-suspicious-directory]] +=== System Binary Copied and/or Moved to Suspicious Directory + +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Setup + + + +This rule requires data coming in from Elastic Defend. + + +*Elastic Defend Integration Setup* + +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + + +*Prerequisite Requirements:* + +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the https://www.elastic.co/guide/en/fleet/current/fleet-server.html[documentation]. + + +*The following steps should be executed in order to add the Elastic Defend integration on a Linux System:* + +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html[Helper guide]. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html[helper guide]. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the https://www.elastic.co/guide/en/security/current/install-endpoint.html[helper guide]. + + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("cp", "mv") and process.args : ( + // Shells + "/bin/*sh", "/usr/bin/*sh", + + // Interpreters + "/bin/python*", "/usr/bin/python*", "/bin/php*", "/usr/bin/php*", "/bin/ruby*", "/usr/bin/ruby*", "/bin/perl*", + "/usr/bin/perl*", "/bin/lua*", "/usr/bin/lua*", "/bin/java*", "/usr/bin/java*", + + // Compilers + "/bin/gcc*", "/usr/bin/gcc*", "/bin/g++*", "/usr/bin/g++*", "/bin/cc", "/usr/bin/cc", + + // Suspicious utilities + "/bin/nc", "/usr/bin/nc", "/bin/ncat", "/usr/bin/ncat", "/bin/netcat", "/usr/bin/netcat", "/bin/nc.openbsd", + "/usr/bin/nc.openbsd", "/bin/*awk", "/usr/bin/*awk", "/bin/socat", "/usr/bin/socat", "/bin/openssl", + "/usr/bin/openssl", "/bin/telnet", "/usr/bin/telnet", "/bin/mkfifo", "/usr/bin/mkfifo", "/bin/mknod", + "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", + + // System utilities + "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", + "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", + "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" + ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] + [file where host.os.type == "linux" and event.action == "creation" and file.path : ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" + ) and not file.path : ("/tmp/rear*", "/var/tmp/rear*", "/var/tmp/dracut*", "/var/tmp/mkinitramfs*")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rules-8-10-12-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rules-8-10-12-appendix.asciidoc new file mode 100644 index 0000000000..f6beaa21cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rules-8-10-12-appendix.asciidoc @@ -0,0 +1,43 @@ +["appendix",role="exclude",id="prebuilt-rule-8-10-12-prebuilt-rules-8-10-12-appendix"] += Downloadable rule update v8.10.12 + +This section lists all updates associated with version 8.10.12 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-10-12-potential-masquerading-as-business-app-installer.asciidoc[] +include::prebuilt-rule-8-10-12-suspicious-execution-from-inet-cache.asciidoc[] +include::prebuilt-rule-8-10-12-execution-from-a-removable-media-with-network-connection.asciidoc[] +include::prebuilt-rule-8-10-12-potential-remote-file-execution-via-msiexec.asciidoc[] +include::prebuilt-rule-8-10-12-remote-xsl-script-execution-via-com.asciidoc[] +include::prebuilt-rule-8-10-12-network-activity-detected-via-cat.asciidoc[] +include::prebuilt-rule-8-10-12-suspicious-utility-launched-via-proxychains.asciidoc[] +include::prebuilt-rule-8-10-12-potential-linux-tunneling-and-or-port-forwarding.asciidoc[] +include::prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-unshadow.asciidoc[] +include::prebuilt-rule-8-10-12-linux-init-pid-1-secret-dump-via-gdb.asciidoc[] +include::prebuilt-rule-8-10-12-potential-linux-local-account-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-10-12-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc[] +include::prebuilt-rule-8-10-12-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc[] +include::prebuilt-rule-8-10-12-potential-linux-credential-dumping-via-proc-filesystem.asciidoc[] +include::prebuilt-rule-8-10-12-attempt-to-disable-iptables-or-firewall.asciidoc[] +include::prebuilt-rule-8-10-12-base16-or-base32-encoding-decoding-activity.asciidoc[] +include::prebuilt-rule-8-10-12-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc[] +include::prebuilt-rule-8-10-12-attempt-to-clear-kernel-ring-buffer.asciidoc[] +include::prebuilt-rule-8-10-12-potential-disabling-of-apparmor.asciidoc[] +include::prebuilt-rule-8-10-12-potential-disabling-of-selinux.asciidoc[] +include::prebuilt-rule-8-10-12-esxi-timestomping-using-touch-command.asciidoc[] +include::prebuilt-rule-8-10-12-file-deletion-via-shred.asciidoc[] +include::prebuilt-rule-8-10-12-file-permission-modification-in-writable-directory.asciidoc[] +include::prebuilt-rule-8-10-12-creation-of-hidden-files-and-directories-via-commandline.asciidoc[] +include::prebuilt-rule-8-10-12-creation-of-hidden-shared-object-file.asciidoc[] +include::prebuilt-rule-8-10-12-kernel-module-removal.asciidoc[] +include::prebuilt-rule-8-10-12-potential-hidden-process-via-mount-hidepid.asciidoc[] +include::prebuilt-rule-8-10-12-potential-defense-evasion-via-proot.asciidoc[] +include::prebuilt-rule-8-10-12-potential-pspy-process-monitoring-detected.asciidoc[] +include::prebuilt-rule-8-10-12-potential-meterpreter-reverse-shell.asciidoc[] +include::prebuilt-rule-8-10-12-potential-reverse-shell-via-udp.asciidoc[] +include::prebuilt-rule-8-10-12-kernel-driver-load-by-non-root-user.asciidoc[] +include::prebuilt-rule-8-10-12-suspicious-passwd-file-event-action.asciidoc[] +include::prebuilt-rule-8-10-12-suspicious-antimalware-scan-interface-dll.asciidoc[] +include::prebuilt-rule-8-10-12-process-created-with-a-duplicated-token.asciidoc[] +include::prebuilt-rule-8-10-12-interactive-logon-by-an-unusual-process.asciidoc[] +include::prebuilt-rule-8-10-12-first-time-seen-newcredentials-logon-process.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rules-8-10-12-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rules-8-10-12-summary.asciidoc new file mode 100644 index 0000000000..0d18c4c9cd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-12/prebuilt-rules-8-10-12-summary.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-10-12-prebuilt-rules-8-10-12-summary]] +[role="xpack"] +== Update v8.10.12 + +This section lists all updates associated with version 8.10.12 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access. | new | 3 + +|<> | Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access. | new | 1 + +|<> | Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. | new | 2 + +|<> | Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. | new | 2 + +|<> | Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. | new | 2 + +|<> | This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process. | update | 5 + +|<> | This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. | update | 5 + +|<> | This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. | update | 5 + +|<> | Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim. | update | 7 + +|<> | This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. | update | 5 + +|<> | Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. | update | 5 + +|<> | An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. | update | 6 + +|<> | An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. | update | 6 + +|<> | Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. | update | 6 + +|<> | Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. | update | 6 + +|<> | Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. | update | 108 + +|<> | This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. | update | 6 + +|<> | Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM). | update | 2 + +|<> | This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. | update | 4 + +|<> | Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. | update | 108 + +|<> | Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system. | update | 6 + +|<> | Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. | update | 108 + +|<> | Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. | update | 209 + +|<