Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Detection Rules] Adding Documents for v8.11.21 Pre-Built Detection Rules #5534

Merged
merged 1 commit into from
Jul 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
[[prebuilt-rule-8-11-21-attempts-to-brute-force-a-microsoft-365-user-account]]
=== Attempts to Brute Force a Microsoft 365 User Account

Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.

*Rule type*: esql

*Rule indices*: None

*Severity*: medium

*Risk score*: 47

*Runs every*: 5m

*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)

*Maximum alerts per execution*: 100

*References*:

* https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem
* https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties

*Tags*:

* Domain: Cloud
* Domain: SaaS
* Data Source: Microsoft 365
* Use Case: Identity and Access Audit
* Tactic: Credential Access

*Version*: 209

*Rule authors*:

* Elastic
* Willem D'Haese
* Austin Songer

*Rule license*: Elastic License v2


==== Investigation guide




==== Setup


The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

==== Rule query


[source, js]
----------------------------------
from logs-o365.audit-*
| MV_EXPAND event.category
| WHERE event.dataset == "o365.audit"
AND event.category == "authentication"

// filter only on Entra ID or Exchange audit logs in O365 integration
AND event.provider in ("AzureActiveDirectory", "Exchange")

// filter only for UserLoginFailed or partial failures
AND event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword")

// ignore specific logon errors
AND not o365.audit.LogonError in (
"EntitlementGrantsNotFound",
"UserStrongAuthEnrollmentRequired",
"UserStrongAuthClientAuthNRequired",
"InvalidReplyTo",
"SsoArtifactExpiredDueToConditionalAccess",
"PasswordResetRegistrationRequiredInterrupt",
"SsoUserAccountNotFoundInResourceTenant",
"UserStrongAuthExpired",
"CmsiInterrupt"
)
// filters out non user or application logins based on target
AND o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10")

// filters only for logins from user or application, ignoring oauth:token
AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike "(.*)login(.*)"

| STATS
// count the number of failed login attempts target per user
login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError

| WHERE login_attempt_counts > 10

----------------------------------

*Framework*: MITRE ATT&CK^TM^

* Tactic:
** Name: Credential Access
** ID: TA0006
** Reference URL: https://attack.mitre.org/tactics/TA0006/
* Technique:
** Name: Brute Force
** ID: T1110
** Reference URL: https://attack.mitre.org/techniques/T1110/
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
[[prebuilt-rule-8-11-21-aws-rds-db-instance-made-public]]
=== AWS RDS DB Instance Made Public

Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls.

*Rule type*: eql

*Rule indices*:

* filebeat-*
* logs-aws.cloudtrail-*

*Severity*: medium

*Risk score*: 47

*Runs every*: 5m

*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)

*Maximum alerts per execution*: 100

*References*:

* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html
* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html
* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence#make-instance-publicly-accessible-rds-modifydbinstance
* https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-createdbinstance

*Tags*:

* Domain: Cloud
* Data Source: AWS
* Data Source: Amazon Web Services
* Data Source: AWS RDS
* Resources: Investigation Guide
* Use Case: Threat Detection
* Tactic: Persistence
* Tactic: Defense Evasion

*Version*: 1

*Rule authors*:

* Elastic

*Rule license*: Elastic License v2


==== Investigation guide



*Triage and Analysis*



*Investigating AWS RDS DB Instance Made Public*


This rule identifies when an RDS DB instance is created or modified to enable public access. While publicly accessible DB instances are a common practice, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment.


*Possible Investigation Steps*


- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
- **Review the Creation/Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance`, `CreateDBInstance` or `CreateDBCluster` actions where the publiclyAccessible parameter was set to true.
- **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance.
- **Verify the Created/Modified Instance**: Check the DB instance that was created or modified and its contents to determine the sensitivity of the data stored within it.
- **Contextualize with Recent Changes**: Compare this event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
- **Correlate with Other Activities**: Search for related CloudTrail events before and after this event to see if the same actor or IP address engaged in other potentially suspicious activities.
- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.

*False Positive Analysis*


- **Legitimate Instance Configuration**: Confirm if the DB instance creation or modification aligns with legitimate tasks.
- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.


*Response and Remediation*


- **Immediate Review and Reversal**: If the change was unauthorized, update the instance attributes to remove public access and restore it to its previous state. Determine whether attached security groups have been modified to allow additional access and revert any unauthorized changes.
- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.
- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access.
- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.


*Additional Information:*


For further guidance on managing DB instances and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html[AWS RDS ModifyDBInstance]


==== Rule query


[source, js]
----------------------------------
any where event.dataset == "aws.cloudtrail"
and event.provider == "rds.amazonaws.com"
and event.outcome == "success"
and (
(event.action == "ModifyDBInstance" and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
or
(event.action in ("CreateDBInstance", "CreateDBCluster") and stringContains(aws.cloudtrail.request_parameters, "publiclyAccessible=true"))
)

----------------------------------

*Framework*: MITRE ATT&CK^TM^

* Tactic:
** Name: Persistence
** ID: TA0003
** Reference URL: https://attack.mitre.org/tactics/TA0003/
* Technique:
** Name: Modify Authentication Process
** ID: T1556
** Reference URL: https://attack.mitre.org/techniques/T1556/
* Sub-technique:
** Name: Conditional Access Policies
** ID: T1556.009
** Reference URL: https://attack.mitre.org/techniques/T1556/009/
* Tactic:
** Name: Defense Evasion
** ID: TA0005
** Reference URL: https://attack.mitre.org/tactics/TA0005/
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
[[prebuilt-rule-8-11-21-aws-rds-db-instance-or-cluster-deletion-protection-disabled]]
=== AWS RDS DB Instance or Cluster Deletion Protection Disabled

Identifies the modification of an AWS RDS DB instance or cluster to remove the deletionProtection feature. Deletion protection is enabled automatically for instances set up through the console and can be used to protect them from unintentional deletion activity. If disabled an instance or cluster can be deleted, destroying sensitive or critical information. Adversaries with the proper permissions can take advantage of this to set up future deletion events against a compromised environment.

*Rule type*: eql

*Rule indices*:

* filebeat-*
* logs-aws.cloudtrail-*

*Severity*: medium

*Risk score*: 47

*Runs every*: 5m

*Searches indices from*: now-10m ({ref}/common-options.html#date-math[Date Math format], see also <<rule-schedule, `Additional look-back time`>>)

*Maximum alerts per execution*: 100

*References*:

* https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html
* https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html

*Tags*:

* Domain: Cloud
* Data Source: AWS
* Data Source: Amazon Web Services
* Data Source: AWS RDS
* Resources: Investigation Guide
* Use Case: Threat Detection
* Tactic: Impact

*Version*: 1

*Rule authors*:

* Elastic

*Rule license*: Elastic License v2


==== Investigation guide



*Triage and Analysis*



*Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled*


This rule identifies when the deletion protection feature is removed from an RDS DB instance or cluster. Removing deletion protection is a prerequisite for deleting a DB instance. Adversaries may exploit this feature to permanently delete data in a compromised environment.


*Possible Investigation Steps*


- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the deletionProtection parameter was changed.
- **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB instance or cluster identifier and any other modifications made to the instance.
- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it.
- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB instance or cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.

*False Positive Analysis*


- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks.
- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.


*Response and Remediation*


- **Immediate Review and Reversal**: If the change was unauthorized, reset deletionProtection to true.
- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.
- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access.
- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.


*Additional Information:*


For further guidance on managing DB instances and securing AWS environments, refer to the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html[AWS RDS documentation] and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:
- https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html[AWS RDS ModifyDBInstance]
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html[Deleting AWS RDS DB Instance]


==== Rule query


[source, js]
----------------------------------
any where event.dataset == "aws.cloudtrail"
and event.provider == "rds.amazonaws.com"
and event.action in ("ModifyDBInstance", "ModifyDBCluster")
and event.outcome == "success"
and stringContains(aws.cloudtrail.request_parameters, "deletionProtection=false")

----------------------------------

*Framework*: MITRE ATT&CK^TM^

* Tactic:
** Name: Impact
** ID: TA0040
** Reference URL: https://attack.mitre.org/tactics/TA0040/
* Technique:
** Name: Data Destruction
** ID: T1485
** Reference URL: https://attack.mitre.org/techniques/T1485/
Loading