diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 317a6318d1f..be433830b21 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,15 +1,14 @@ # detection-rules code owners # POC: Elastic Security Intelligence and Analytics Team -tests/**/*.py @brokensound77 @mikaayenson @eric-forte-elastic -detection_rules/ @brokensound77 @mikaayenson @eric-forte-elastic -tests/ @brokensound77 @mikaayenson @eric-forte-elastic -lib/ @brokensound77 @mikaayenson @eric-forte-elastic -rta/ @brokensound77 @mikaayenson @eric-forte-elastic +tests/**/*.py @mikaayenson @eric-forte-elastic @terrancedejesus +detection_rules/ @mikaayenson @eric-forte-elastic @terrancedejesus +tests/ @mikaayenson @eric-forte-elastic @terrancedejesus +lib/ @mikaayenson @eric-forte-elastic @terrancedejesus +rta/ @mikaayenson @eric-forte-elastic @terrancedejesus # skip rta-mapping to avoid the spam -detection_rules/etc/packages.yaml @brokensound77 @mikaayenson @eric-forte-elastic -detection_rules/etc/*.json @brokensound77 @mikaayenson @eric-forte-elastic -detection_rules/etc/*.json @brokensound77 @mikaayenson @eric-forte-elastic -detection_rules/etc/*/* @brokensound77 @mikaayenson @eric-forte-elastic - +detection_rules/etc/packages.yaml @mikaayenson @eric-forte-elastic @terrancedejesus +detection_rules/etc/*.json @mikaayenson @eric-forte-elastic @terrancedejesus +detection_rules/etc/*.json @mikaayenson @eric-forte-elastic @terrancedejesus +detection_rules/etc/*/* @mikaayenson @eric-forte-elastic @terrancedejesus diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 386b7dc20f4..65f4aefea86 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -122,15 +122,15 @@ def build_release(ctx: click.Context, config_file, update_version_lock: bool, ge registry_data['conditions']['kibana.version'].strip("^")) sde = SecurityDetectionEngine() historical_rules = sde.load_integration_assets(previous_pkg_version) - historical_rules = sde.transform_legacy_assets(historical_rules) - package.add_historical_rules(historical_rules, registry_data['version']) + limited_historical_rules = sde.keep_latest_versions(historical_rules) + package.add_historical_rules(limited_historical_rules, registry_data['version']) click.echo(f'[+] Adding historical rules from {previous_pkg_version} package') # NOTE: stopgap solution until security doc migration if generate_docs: click.echo(f'[+] Generating security docs for {registry_data["version"]} package') docs = IntegrationSecurityDocsMDX(registry_data['version'], Path(f'releases/{config["name"]}-docs'), - True, historical_rules, package, note=update_message) + True, limited_historical_rules, package, note=update_message) docs.generate() if verbose: diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 566d3eb2c23..4cf7ab62219 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 85afaa38b42..65b634c30d4 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 26b29c34379..213bdc3f9e2 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -148,5 +148,12 @@ "logs-aws.cloudtrail-*": { "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword", "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword" + }, + "logs-azure.signinlogs-*": { + "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword" + }, + "logs-azure.activitylogs-*": { + "azure.activitylogs.properties.authentication_protocol": "keyword", + "azure.activitylogs.properties.appId": "keyword" } } diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index b0b412879cb..2a52e57ebb9 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -40,9 +40,9 @@ } }, "rule_name": "System Shells via Services", - "sha256": "f39660853e5b117b27a58684c32fc3028f841c2bfa0676a1716d4775a8fbc5bb", + "sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465", "type": "eql", - "version": 312 + "version": 313 }, "00678712-b2df-11ed-afe9-f661ea17fbcc": { "rule_name": "Google Workspace Suspended User Account Renewed", @@ -226,9 +226,9 @@ }, "06dceabf-adca-48af-ac79-ffdf4c3b1e9a": { "rule_name": "Potential Evasion via Filter Manager", - "sha256": "547a848b0b1c9458a6a838abb3430914bb8557a0b1bd030f11d882f5605e024c", + "sha256": "a94b677993a1ef1bed8626490fcb593b210a3fdbe2751e7e2b38a35b5cc4395d", "type": "eql", - "version": 110 + "version": 111 }, "074464f9-f30d-4029-8c03-0ed237fffec7": { "rule_name": "Remote Desktop Enabled in Windows Firewall by Netsh", @@ -267,9 +267,9 @@ } }, "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "793a191ad34ae91c56955a490de13ca8298e1f75a10de07ae143ed3766096355", + "sha256": "56429d1cd02f3329c6753fbb15a52eee3bffe8568d69b72013586dde2be95b57", "type": "eql", - "version": 210 + "version": 211 }, "07b5f85a-240f-11ed-b3d9-f661ea17fbce": { "rule_name": "Google Drive Ownership Transferred via Google Workspace", @@ -378,11 +378,17 @@ "type": "query", "version": 106 }, + "0b15bcad-aff1-4250-a5be-5d1b7eb56d07": { + "rule_name": "Yum Package Manager Plugin File Creation", + "sha256": "3a2bd6c4c3a22a51b9ccc02420cce8fbbf1827c026e43f7f8b04905409711bf7", + "type": "eql", + "version": 1 + }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", - "sha256": "a97e8495484e9053dfe57d0b3b3e2cc47984f3e326f8bce2c00bcab788337579", + "sha256": "d0aad9677c998d37e6b01a3e4bf8956839879b80a0b4e4311197d30ab995b06c", "type": "machine_learning", - "version": 105 + "version": 106 }, "0b2f3da5-b5ec-47d1-908b-6ebb74814289": { "rule_name": "User account exposed to Kerberoasting", @@ -404,9 +410,9 @@ }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "rule_name": "Threat Intel IP Address Indicator Match", - "sha256": "cd59f82b14abfb2a445bdd96682846602eb2f8abc1ef27f64dda99f452f99290", + "sha256": "73f1d7ac5e48ae941a948cf4fd8934aa63350e31aa9b81f06de2f8543783dd7d", "type": "threat_match", - "version": 6 + "version": 7 }, "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4": { "rule_name": "Peripheral Device Discovery", @@ -476,10 +482,10 @@ "version": 109 }, "0f4d35e4-925e-4959-ab24-911be207ee6f": { - "rule_name": "Potential Persistence Through Run Control Detected", - "sha256": "36731a2b745266798a86c82eee4dbc160faad33f2480d2e5d3f489d91db2ba8f", - "type": "new_terms", - "version": 111 + "rule_name": "rc.local/rc.common File Creation", + "sha256": "85ee9b791a4c7e68fa137cb3157d12117568d3c28d86fe9d8fcec00fc60e084a", + "type": "eql", + "version": 112 }, "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5": { "rule_name": "Netcat Listener Established via rlwrap", @@ -651,9 +657,9 @@ }, "138c5dd5-838b-446e-b1ac-c995c7f8108a": { "rule_name": "Rare User Logon", - "sha256": "84ad771aac0fd0883efd7525692d964e0f85a436752431c84b7dc4e012b05679", + "sha256": "050d66ef0de6ff000a472333b58036221ece112a4449c82d370394e4d55bbb59", "type": "machine_learning", - "version": 104 + "version": 105 }, "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a": { "rule_name": "Potential Ransomware Behavior - High count of Readme files by System", @@ -785,39 +791,39 @@ }, "1781d055-5c66-4adf-9c59-fc0fa58336a5": { "rule_name": "Unusual Windows Username", - "sha256": "3f017bebc4cd49b96144c2c37d613353b9c74438bb528240c830a99a32537120", + "sha256": "58b73b91dd06522f8cc8e453e0989fef4d37edf64196b91cdf2fea11b8dcb600", "type": "machine_learning", - "version": 104 + "version": 105 }, "1781d055-5c66-4adf-9c71-fc0fa58338c7": { "rule_name": "Unusual Windows Service", - "sha256": "89e1fd74a24609ea12f4b8735c03de06e82fa5940400ce7cc3860d473e9f9b9a", + "sha256": "899e5d7b4c44f03a8e5a152123795f54ba6f92214b25b05afb99357172793f55", "type": "machine_learning", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9d60-fc0fa58337b6": { "rule_name": "Suspicious Powershell Script", - "sha256": "c3d4419ad9b4d398652f573451d61439143854032c964a86b28b44f63627d3d3", + "sha256": "914a41f4dc5e8da74932f4f6908d90c631ea34cd726868f28881ac211db41192", "type": "machine_learning", - "version": 104 + "version": 105 }, "1781d055-5c66-4adf-9d82-fc0fa58449c8": { "rule_name": "Unusual Windows User Privilege Elevation Activity", - "sha256": "3e378c975b7684d44d468c1b90b70fd66198d70f52b1af31c2d9877e6e01cda5", + "sha256": "7dfa9272ac79e2ccb11e032297cffca58e295634d51a93a9eece00365696b251", "type": "machine_learning", - "version": 103 + "version": 104 }, "1781d055-5c66-4adf-9e93-fc0fa69550c9": { "rule_name": "Unusual Windows Remote User", - "sha256": "83958e6d3f7ccbbbba3e4f0796b176f124604f15277f14ce33c142029d6c8ff9", + "sha256": "aace3833cd0a4b65fde946008ccdda35d0cdfbd6c6febb57afc96965594545ad", "type": "machine_learning", - "version": 103 + "version": 104 }, "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "rule_name": "Systemd Service Created", - "sha256": "b6d52138336ffdc9944d3309166f6e193ae0cda6f421144245bc69bf4a6559eb", + "sha256": "f39790b9b3abb2ae93c8dd17424d49585bf433630f77d22f8e71e727ded3ef05", "type": "eql", - "version": 11 + "version": 12 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "rule_name": "Renamed Utility Executed with Short Program Name", @@ -827,9 +833,9 @@ }, "17e68559-b274-4948-ad0b-f8415bb31126": { "rule_name": "Unusual Network Destination Domain Name", - "sha256": "d0d9eef72ecbbb7af63f2aa522abc13a4cba650dd6da7a17c6b37218c39c1fb8", + "sha256": "0bcbe426712010462b5b8c7b7e268f1c7edb9b662ab4b0db3cdb41c9ded8b7fa", "type": "machine_learning", - "version": 103 + "version": 104 }, "184dfe52-2999-42d9-b9d1-d1ca54495a61": { "rule_name": "GCP Logging Sink Modification", @@ -858,9 +864,9 @@ }, "192657ba-ab0e-4901-89a2-911d611eee98": { "rule_name": "Potential Persistence via File Modification", - "sha256": "13724ccfbad7645a55a6148fd2331a0f15181aca09d104bc269cddfeb702bb7d", + "sha256": "328df92dbc73dc43154f8b6998e6a2201211089ea4fca02386b1d1180d51cf36", "type": "eql", - "version": 1 + "version": 2 }, "193549e8-bb9e-466a-a7f9-7e783f5cb5a6": { "rule_name": "Potential Privilege Escalation via Recently Compiled Executable", @@ -870,9 +876,9 @@ }, "19de8096-e2b0-4bd8-80c9-34a820813fff": { "rule_name": "Rare AWS Error Code", - "sha256": "45da42408e9e47f7550b2ff787fd33fe211dc4d0c4ccbfd9342ae768d88384ec", + "sha256": "e0fed1b61b6fc4ceab47ffa167cd84bceba6c2c6bb33dc781102e3d5da543e9c", "type": "machine_learning", - "version": 208 + "version": 209 }, "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03": { "rule_name": "Spike in Number of Processes in an RDP Session", @@ -948,9 +954,9 @@ }, "1c84dd64-7e6c-4bad-ac73-a5014ee37042": { "rule_name": "Suspicious File Creation in /etc for Persistence", - "sha256": "bf4cceb5ae7a5878a49003e662cdc61a43a63016cf7c081482666a0dac24247b", + "sha256": "40ddcb49b09cc55adadb4d77faa7e2399a198f85b05ae0091ff28080d0b3e163", "type": "eql", - "version": 114 + "version": 115 }, "1c966416-60c1-436b-bfd0-e002fddbfd89": { "rule_name": "Azure Kubernetes Rolebindings Created", @@ -1068,9 +1074,9 @@ }, "1e9fc667-9ff1-4b33-9f40-fefca8537eb0": { "rule_name": "Unusual Sudo Activity", - "sha256": "aad0990989bfa63d159c45b28e23cec25bcdd6cb4054ad31584f085b1e38568c", + "sha256": "1b4afd134fbb5d5c1cb57e6672f3fbcc22b63ae075701aa614af5619f80cff4e", "type": "machine_learning", - "version": 103 + "version": 104 }, "1f0a69c0-3392-4adf-b7d5-6012fd292da8": { "rule_name": "Potential Antimalware Scan Interface Bypass via PowerShell", @@ -1086,9 +1092,9 @@ }, "1faec04b-d902-4f89-8aff-92cd9043c16f": { "rule_name": "Unusual Linux User Calling the Metadata Service", - "sha256": "8eb47dead708d739318e797d2fac9c942978cd80eca1354c0063c15ff502adb9", + "sha256": "1020c70dcaf191d3b48430a916809caba50985d924ebc5a379d1de8c0dc3fca9", "type": "machine_learning", - "version": 103 + "version": 104 }, "1fe3b299-fbb5-4657-a937-1d746f2c711a": { "rule_name": "Unusual Network Activity from a Windows System Binary", @@ -1232,6 +1238,13 @@ "type": "new_terms", "version": 1 }, + "23f18264-2d6d-11ef-9413-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", + "sha256": "68aeb823e4de7c8e670285a009dd7c9fc39ae2a9abf83f65c35df1d9818dd586", + "type": "esql", + "version": 1 + }, "24401eca-ad0b-4ff9-9431-487a8e183af9": { "rule_name": "New GitHub Owner Added", "sha256": "30fc492bcc0364696d21c281124ec1d963222a387430bd66f8db31b80df23764", @@ -1408,6 +1421,12 @@ "type": "eql", "version": 5 }, + "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { + "rule_name": "Privilege Escalation via SUID/SGID", + "sha256": "d4750d3483d151cf29d387937a0c53e16532bb6c7f76c4129182f11af26907bd", + "type": "eql", + "version": 1 + }, "28f6f34b-8e16-487a-b5fd-9d22eb903db8": { "rule_name": "Shell Configuration Creation or Modification", "sha256": "26fb29a8c8c328b8e46ed17a8fda1d07250948bb305e19031173410ae35d3669", @@ -1521,9 +1540,9 @@ } }, "rule_name": "Adobe Hijack Persistence", - "sha256": "eb4e880bc7d79b0831cdd9063d6745aad9f422d7f4b708a0894c414c790af064", + "sha256": "444405e37e8e57d20939866f5b78a3a70eb14ff1533a0524f612c56daa2ce62a", "type": "eql", - "version": 313 + "version": 314 }, "2c17e5d7-08b9-43b2-b58a-0270d65ac85b": { "rule_name": "Windows Defender Exclusions Added via PowerShell", @@ -1586,11 +1605,20 @@ "version": 2 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.10", + "min_stack_version": "8.13", + "previous": { + "8.10": { + "max_allowable_version": 100, + "rule_name": "Okta User Sessions Started from Different Geolocations", + "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", + "type": "threshold", + "version": 1 + } + }, "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc", - "type": "threshold", - "version": 1 + "sha256": "46d05336c091b15f5411222d6025f5b05a2712ed0cdad1ae60eda64282563004", + "type": "esql", + "version": 101 }, "2e580225-2a58-48ef-938b-572933be06fe": { "rule_name": "Halfbaked Command and Control Beacon", @@ -1684,9 +1712,9 @@ }, "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62": { "rule_name": "Bypass UAC via Event Viewer", - "sha256": "e6a2af9522e0e9af476dbdd8aacdf56e95e20a452abd93a0bbd42f622856b52c", + "sha256": "f68acc17e7920c1e4f473b0e72524adf18803529c9ab6fbb7b3f4369cc464908", "type": "eql", - "version": 112 + "version": 113 }, "3202e172-01b1-4738-a932-d024c514ba72": { "rule_name": "GCP Pub/Sub Topic Deletion", @@ -1714,9 +1742,9 @@ }, "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14": { "rule_name": "Program Files Directory Masquerading", - "sha256": "8cec03274c88dea9a86f4cc7af3af538103fe9b253736b1c5dd81848830076fa", + "sha256": "e86edbafc8daaa9e5141a1d1c7ef7582752907da5625aadc6aa59f4c7418e7b1", "type": "eql", - "version": 109 + "version": 110 }, "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.13", @@ -1737,9 +1765,9 @@ } }, "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "a7e4e52230f1a2f269732a45b210a8cded335e4867e2095abbb2d707d4a0e932", + "sha256": "d795d9c2b5323cd4d471b74493354dc0efd031e16c8fa6f35c34b0e17c0d6f5c", "type": "eql", - "version": 313 + "version": 314 }, "333de828-8190-4cf5-8d7c-7575846f6fe0": { "rule_name": "AWS IAM User Addition to Group", @@ -1820,9 +1848,9 @@ }, "35f86980-1fb1-4dff-b311-3be941549c8d": { "rule_name": "Network Traffic to Rare Destination Country", - "sha256": "599670166b519587f8e2c8712aaec4839a9edfbd71f94eef4d3ca35a4bff8e82", + "sha256": "4717b0d0eb76707afa4f290f2239c9c078684d413574d6615ec4c298bd38495c", "type": "machine_learning", - "version": 103 + "version": 104 }, "3605a013-6f0c-4f7d-88a5-326f5be262ec": { "rule_name": "Potential Privilege Escalation via Local Kerberos Relay over LDAP", @@ -1952,6 +1980,12 @@ "type": "eql", "version": 107 }, + "39c06367-b700-4380-848a-cab06e7afede": { + "rule_name": "Systemd Generator Created", + "sha256": "942799a502924a8770a66f92b4f43fa2438edf86eef4d2e1fc81c5d5934ca45b", + "type": "eql", + "version": 1 + }, "3a59fc81-99d3-47ea-8cd6-d48d561fca20": { "rule_name": "Potential DNS Tunneling via NsLookup", "sha256": "4a18eb2fad582229c98d6a037fd50e8c8c1ce71cc2a6442d5f73f60435460035", @@ -1964,6 +1998,12 @@ "type": "eql", "version": 8 }, + "3a657da0-1df2-11ef-a327-f661ea17fbcc": { + "rule_name": "Rapid7 Threat Command CVEs Correlation", + "sha256": "23e49f0f8d57d3b70852d1ff51fde7a12744141f9986f4fa048aba19f7db89a1", + "type": "threat_match", + "version": 1 + }, "3a86e085-094c-412d-97ff-2439731e59cb": { "rule_name": "Setgid Bit Set via chmod", "sha256": "8a227c09d80f4787ecef3e02690f51fd836b29aafcd6b210d859c4cd51203941", @@ -2013,9 +2053,9 @@ } }, "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "99fe156012393a6350811a3ccf9ecaf4dc0d399569a90aa01cc5cebe44117352", + "sha256": "fc39f2acde3920cf811fffeba7c26a81cdba43f00f44e9649e96c6638439f59c", "type": "eql", - "version": 312 + "version": 313 }, "3bc6deaa-fbd4-433a-ae21-3e892f95624f": { "rule_name": "NTDS or SAM Database File Copied", @@ -2025,9 +2065,9 @@ }, "3c7e32e6-6104-46d9-a06e-da0f8b5795a0": { "rule_name": "Unusual Linux Network Port Activity", - "sha256": "a2800c6cc225debfe9958195da944e5b1ead6405ccad4dac405b7e7d337dade9", + "sha256": "c9f2e221dc5c9b631010dd7a284367f67e996150f41da955b0bcb0608b3c0358", "type": "machine_learning", - "version": 103 + "version": 104 }, "3d00feab-e203-4acc-a463-c3e15b7e9a73": { "rule_name": "ScreenConnect Server Spawning Suspicious Processes", @@ -2135,6 +2175,12 @@ "type": "machine_learning", "version": 4 }, + "3fe4e20c-a600-4a86-9d98-3ecb1ef23550": { + "rule_name": "DNF Package Manager Plugin File Creation", + "sha256": "a84dfe6ccc1996ada49913439cc47e7a0a10d463f3385caf7a4f35804f884888", + "type": "eql", + "version": 1 + }, "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb": { "rule_name": "Unusual Process Spawned by a User", "sha256": "2a6704800d9d4ac73e97a1241f8f991ff2aff985ef0da43109ca59eda2b02134", @@ -2233,9 +2279,9 @@ }, "4330272b-9724-4bc6-a3ca-f1532b81e5c2": { "rule_name": "Unusual Login Activity", - "sha256": "178b730df2f0523fca5d50f1c7bfb91a3b574b4d6bfa9a475d11d6208ef93b2c", + "sha256": "fdcb136029096fba35b1435354f3b4a22f6dcab41a79c2096a9f6a69530cf553", "type": "machine_learning", - "version": 103 + "version": 104 }, "43303fd4-4839-4e48-b2b2-803ab060758d": { "rule_name": "Web Application Suspicious Activity: No User Agent", @@ -2257,9 +2303,9 @@ }, "445a342e-03fb-42d0-8656-0367eb2dead5": { "rule_name": "Unusual Windows Path Activity", - "sha256": "0c0dc0204bae57db331547a95b8be8a1a7a915fd32f0e9ed199b109a8418db7e", + "sha256": "55a14d59ed931d8a978a293e06c04c86113da5bba42e828f4d6f59908cfb7c94", "type": "machine_learning", - "version": 104 + "version": 105 }, "4494c14f-5ff8-4ed2-8e99-bf816a1642fc": { "rule_name": "Potential Masquerading as VLC DLL", @@ -2311,15 +2357,15 @@ }, "46f804f5-b289-43d6-a881-9387cf594f75": { "rule_name": "Unusual Process For a Linux Host", - "sha256": "5fbea0760b51ff40b45435e9978a27fd21ee1b2a9792c2892ca01cc45f6dc782", + "sha256": "816980152a0f36cc1d798d0b07b1c2c7814d4362233efb481d1f0525d8705fb1", "type": "machine_learning", - "version": 104 + "version": 105 }, "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { - "rule_name": "Potential Persistence Through init.d Detected", - "sha256": "f475866a4eb28902febd629ce11fefe77e80d41baabebe63a0b893ddd7d9a753", - "type": "new_terms", - "version": 10 + "rule_name": "System V Init Script Created", + "sha256": "2466e400fbb2609de0e103e31fce633373687c8f415da505013088e414873e97", + "type": "eql", + "version": 11 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "rule_name": "Sensitive Files Compression Inside A Container", @@ -2389,9 +2435,9 @@ }, "493834ca-f861-414c-8602-150d5505b777": { "rule_name": "Agent Spoofing - Multiple Hosts Using Same Agent", - "sha256": "6928326257c9c13a06c0f1b72217966aa1141319570100427a2bc9edc41964c0", + "sha256": "c43d7caff55a0e669d84e34d8cb65261d090952151144bb98ddc066fb35fb251", "type": "threshold", - "version": 101 + "version": 102 }, "494ebba4-ecb7-4be4-8c6f-654c686549ad": { "rule_name": "Potential Linux Backdoor User Account Creation", @@ -2592,9 +2638,9 @@ } }, "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "f5b43f0f0f3a4cd3823fedc6900054657f8adb7bd85b6cc8097f892872bf6f3b", + "sha256": "56b311155088f43b725ed46b4f073ce9e8c6c4cf56e3a435b24b86d86aad53c2", "type": "eql", - "version": 310 + "version": 311 }, "514121ce-c7b6-474a-8237-68ff71672379": { "rule_name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", @@ -2652,9 +2698,9 @@ }, "52afbdc5-db15-485e-bc24-f5707f820c4b": { "rule_name": "Unusual Linux Network Activity", - "sha256": "17357496d0db27a4d0ccddae1c436a5239eced079e597b6deaf8b586add984e7", + "sha256": "55992af5ec9860d11678c489909dda9a45c32e993b83107a655b61fffe7b5fd1", "type": "machine_learning", - "version": 103 + "version": 104 }, "52afbdc5-db15-485e-bc35-f5707f820c4c": { "rule_name": "Unusual Linux Web Activity", @@ -2857,6 +2903,12 @@ "type": "eql", "version": 3 }, + "57bfa0a9-37c0-44d6-b724-54bf16787492": { + "rule_name": "DNS Global Query Block List Modified or Disabled", + "sha256": "c31bbb3334b07220c4b6cef2aa9a19eab7c31d95eb16d2aa4e9238bee56e8c23", + "type": "eql", + "version": 1 + }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", "sha256": "f0266b580614dbb0c7ec5ff4505f577f89518b4141c2b2c116082bbf595986e5", @@ -2907,9 +2959,9 @@ }, "59756272-1998-4b8c-be14-e287035c4d10": { "rule_name": "Unusual Linux User Discovery Activity", - "sha256": "f22f060fba5f9de2376d38ce5ced5885370cdee60ce06026422199c3d3636225", + "sha256": "ee20cd99bcb1d96c1b45a7497beed44d5f9a3ea2acd13f0bb8e35352cbf59909", "type": "machine_learning", - "version": 104 + "version": 105 }, "5a14d01d-7ac8-4545-914c-b687c2cf66b3": { "rule_name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", @@ -3010,9 +3062,9 @@ }, "5c983105-4681-46c3-9890-0c66d05e776b": { "rule_name": "Unusual Linux Process Discovery Activity", - "sha256": "e67ff82fd38ab4af435c7cd93dee29535aac33d0dca591dada0c896337e58380", + "sha256": "f9a87ae54214bad3a060e755e979bde3234717dd912edb1867dd9bb0f3f658b1", "type": "machine_learning", - "version": 103 + "version": 104 }, "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0": { "rule_name": "Potential Defense Evasion via PRoot", @@ -3050,6 +3102,12 @@ "type": "eql", "version": 108 }, + "5d676480-9655-4507-adc6-4eec311efff8": { + "rule_name": "Unsigned DLL loaded by DNS Service", + "sha256": "ff6aae20990da6a915ef2a0f93547eabc6c109425ad02e3ee30fbad6a7fcf19c", + "type": "eql", + "version": 1 + }, "5d9f8cfc-0d03-443e-a167-2b0597ce0965": { "rule_name": "Suspicious Automator Workflows Execution", "sha256": "8a91321d4c4824d08e1ec1d1f2db52ad985b859f4e5838169834aa4bbdfff906", @@ -3208,9 +3266,9 @@ }, "647fc812-7996-4795-8869-9c4ea595fe88": { "rule_name": "Anomalous Process For a Linux Population", - "sha256": "83b053309247f90ea7bda7f3c8e474257fe61dec3fc68d387888dc2da6ccf096", + "sha256": "a43d2835f72ae42b2a33840b01901aa85c4bcef91e50f5fb8d5ba647ff9bb0e7", "type": "machine_learning", - "version": 104 + "version": 105 }, "6482255d-f468-45ea-a5b3-d3a7de1331ae": { "rule_name": "Modification of Safari Settings via Defaults Command", @@ -3408,6 +3466,12 @@ "type": "eql", "version": 1 }, + "68c5c9d1-38e5-48bb-b1b2-8b5951d39738": { + "rule_name": "AWS RDS DB Snapshot Created", + "sha256": "972c43b3af38053965d950138537310a6389c29d66d68617fbafc87b01aa6a31", + "type": "query", + "version": 1 + }, "68d56fdc-7ffa-4419-8e95-81641bd6f845": { "rule_name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "sha256": "0e58274266004591d50a31dccda8579c2e48897fecb54d3ff9aa6153e1b2f459", @@ -3420,12 +3484,25 @@ "type": "query", "version": 106 }, + "696015ef-718e-40ff-ac4a-cc2ba88dbeeb": { + "min_stack_version": "8.13", + "rule_name": "AWS IAM User Created Access Keys For Another User", + "sha256": "47b579b9a56ed6ea73b213367dcfbd08587402835edd04fc34313a9314a6cd79", + "type": "esql", + "version": 1 + }, "699e9fdb-b77c-4c01-995c-1c15019b9c43": { "rule_name": "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match", "sha256": "323f4b02dcebb3ae76b6d959c325eb0da4b02ab1cf6d98b0437795dbcdd6eb85", "type": "threat_match", "version": 204 }, + "69c116bb-d86f-48b0-857d-3648511a6cac": { + "rule_name": "Suspicious rc.local Error Message", + "sha256": "0b487e1b833bcafdcb2b535bc15463752b290f256859f2abdfb8a98f096a69bb", + "type": "query", + "version": 1 + }, "69c251fb-a5d6-4035-b5ec-40438bd829ff": { "rule_name": "Modification of Boot Configuration", "sha256": "500524cf359e95ea7b5677b35a1d166b011fa0b33628d49b9e0ca3dcb7531525", @@ -3469,9 +3546,9 @@ } }, "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "9a2bd321243f33c29af8cab474c2a52763818ef4340040453bf1e111f2e47503", + "sha256": "d96da39b124844378ebe2dccb3f7abd14b3ea249368ba1cc52f0569beb16aebf", "type": "eql", - "version": 313 + "version": 314 }, "6ace94ba-f02c-4d55-9f53-87d99b6f9af4": { "rule_name": "Suspicious Utility Launched via ProxyChains", @@ -3511,9 +3588,9 @@ }, "6d448b96-c922-4adb-b51c-b767f1ea5b76": { "rule_name": "Unusual Process For a Windows Host", - "sha256": "1259847bc59ec8a6f2558f519c3d33e6a2166fa18da8ef169a7d2de8a08225c6", + "sha256": "4223306f5dfb909d0740513fea9760aef024d21d749079f1c925795c4595c203", "type": "machine_learning", - "version": 108 + "version": 109 }, "6d8685a1-94fa-4ef7-83de-59302e7c4ca8": { "rule_name": "Potential Privilege Escalation via CVE-2023-4911", @@ -3529,9 +3606,9 @@ }, "6e40d56f-5c0e-4ac6-aece-bee96645b172": { "rule_name": "Anomalous Process For a Windows Population", - "sha256": "797cf8fc982536b11a0679348b4eca584db853de77646320ff0c146465196bcd", + "sha256": "e37d7455b40bc535bfe594dc80d1c349bd5dc6dc8b29ea9f6188efc2c897e623", "type": "machine_learning", - "version": 105 + "version": 106 }, "6e9130a5-9be6-48e5-943a-9628bfc74b18": { "rule_name": "AdminSDHolder Backdoor", @@ -3569,6 +3646,12 @@ "type": "eql", "version": 7 }, + "6f024bde-7085-489b-8250-5957efdf1caf": { + "rule_name": "Active Directory Group Modification by SYSTEM", + "sha256": "c9b21cdf8c1e8c7c10492858026a18da544e7c035d10d55ccc0026ef0f488f57", + "type": "eql", + "version": 1 + }, "6f1500bc-62d7-4eb9-8601-7485e87da2f4": { "rule_name": "SSH (Secure Shell) to the Internet", "sha256": "ccd5c6ae27b2cc637f6bbb39e5d6b025d56dc2c81975d697ada670a54ce65ef5", @@ -3697,7 +3780,13 @@ }, "730ed57d-ae0f-444f-af50-78708b57edd5": { "rule_name": "Suspicious JetBrains TeamCity Child Process", - "sha256": "c9e084cfb0ca88c2cc8bfdeaeae122e26763a683878236cd17307ce5cabfe578", + "sha256": "37aa131f6982a43283697967e08ef37198a296567f76495c23c42aa2350aa1ca", + "type": "eql", + "version": 2 + }, + "7318affb-bfe8-4d50-a425-f617833be160": { + "rule_name": "Potential Execution of rc.local Script", + "sha256": "f72ef3ae820cc7827a173bd53ee654a144ca8e561720eb21b16aa8038e77cc52", "type": "eql", "version": 1 }, @@ -3725,15 +3814,15 @@ }, "745b0119-0560-43ba-860a-7235dd8cee8d": { "rule_name": "Unusual Hour for a User to Logon", - "sha256": "8c8f1df8c5b78cb30de44700004958516615a323691d707eee2ed79b9a00424c", + "sha256": "a93547b576fb979d332fb9489f405cbc02bb2c196fed5cc175539deb931873a6", "type": "machine_learning", - "version": 104 + "version": 105 }, "746edc4c-c54c-49c6-97a1-651223819448": { "rule_name": "Unusual DNS Activity", - "sha256": "b9ea779f9594e53247551940577acd651bc9971f972c085f9476e736de350577", + "sha256": "be2743603bcbf86cc96a4bdfd8c5de3f4377cc7621eeafe530eac2db9e6342c7", "type": "machine_learning", - "version": 103 + "version": 104 }, "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "rule_name": "Suspicious Sysctl File Event", @@ -3808,9 +3897,9 @@ } }, "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "5dc0aa50792a92d4380b7f0f4e326e624d77e221bc6825424687daac0e26083f", + "sha256": "c762e1ba8e72d23f0ccff398f0213ae177b8f5c62687a8a5df50f506ac30fc3f", "type": "eql", - "version": 312 + "version": 313 }, "770e0c4d-b998-41e5-a62e-c7901fd7f470": { "rule_name": "Enumeration Command Spawned via WMIPrvSE", @@ -3842,6 +3931,12 @@ "type": "threshold", "version": 6 }, + "78390eb5-c838-4c1d-8240-69dd7397cfb7": { + "rule_name": "Yum/DNF Plugin Status Discovery", + "sha256": "fc16f370dc60f9055462ab95361c53882679cdb66bc38d1af9e0d11c7fe6cae2", + "type": "eql", + "version": 1 + }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", "sha256": "ad5d0246eae8608a0868956eb3e4b6b36c94a4180a1194ca35da083d3264ecb6", @@ -3856,9 +3951,9 @@ }, "78d3d8d9-b476-451d-a9e0-7a5addd70670": { "rule_name": "Spike in AWS Error Messages", - "sha256": "b9c3990fedf14024b1c9c83464350edfd9ebd517c53d2aacebbb3a848d9740f2", + "sha256": "fdab7511f64935faf0bd44cb14c5924f678aa613944ed7ac1d07240a12cd401e", "type": "machine_learning", - "version": 208 + "version": 209 }, "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "min_stack_version": "8.13", @@ -3879,9 +3974,9 @@ } }, "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "1cd4ba234bf93cf872872658b01960cdc2fdcd04262dadd0399b738cff42d2e4", + "sha256": "be515aa4079a17e1c8bfa4a48abf4988546407c452bb83a12e8a9ea37618a65c", "type": "eql", - "version": 203 + "version": 204 }, "78e9b5d5-7c07-40a7-a591-3dbbf464c386": { "rule_name": "Suspicious File Renamed via SMB", @@ -3985,6 +4080,12 @@ "type": "query", "version": 106 }, + "7ce5e1c7-6a49-45e6-a101-0720d185667f": { + "rule_name": "Git Hook Child Process", + "sha256": "e77cd450455ec49667cac7e0a1957a71b6b3644f627fe8c00b5bd2c41a8e0262", + "type": "eql", + "version": 1 + }, "7ceb2216-47dd-4e64-9433-cddc99727623": { "rule_name": "GCP Service Account Creation", "sha256": "0c8a23dace5a96a836f6a55bbc9dc2e64550d584c98257f3b7dbbaaf0d79805c", @@ -4016,6 +4117,13 @@ "type": "eql", "version": 2 }, + "7e23dfef-da2c-4d64-b11d-5f285b638853": { + "min_stack_version": "8.9", + "rule_name": "Microsoft Management Console File from Unusual Path", + "sha256": "adb75f0219164c5e3c96a145f69d0da86658f728ce7ced78350c0b40f97eb464", + "type": "eql", + "version": 2 + }, "7f370d54-c0eb-4270-ac5a-9a6020585dc6": { "rule_name": "Suspicious WMIC XSL Script Execution", "sha256": "d375afba7884212b8fe34d5179603d5a9a7a16f14ec76a18f89032b8ca01d5e2", @@ -4030,9 +4138,9 @@ }, "7fb500fa-8e24-4bd1-9480-2a819352602c": { "rule_name": "Systemd Timer Created", - "sha256": "677de35cf201258b8369fc2085f3f72db239e9011cff322e8f5f332afcf46888", + "sha256": "45cb9853a105ac47b63d0424f8bae22ba4f4cd32a1a54641b355e1ca2600cc91", "type": "eql", - "version": 11 + "version": 12 }, "7fda9bb2-fd28-11ee-85f9-f661ea17fbce": { "min_stack_version": "8.13", @@ -4068,9 +4176,9 @@ }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "rule_name": "Unusual City For an AWS Command", - "sha256": "d6cbad92730cf10d62df532e09bfef35bca6439b7ff5b0f34337bdda6ab38199", + "sha256": "89302a4ee46c254ece373ba0f594ea3ca2cc108b88e04a312fe1372645a60fe2", "type": "machine_learning", - "version": 208 + "version": 209 }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", @@ -4285,6 +4393,12 @@ "type": "eql", "version": 108 }, + "894326d2-56c0-4342-b553-4abfaf421b5b": { + "rule_name": "Potential WPAD Spoofing via DNS Record Creation", + "sha256": "e31ebc9b2e2d37078a625aed023401808117893b3d430c3d1efa9613c4c25e8b", + "type": "eql", + "version": 1 + }, "89583d1b-3c2e-4606-8b74-0a9fd2248e88": { "rule_name": "Linux Restricted Shell Breakout via the vi command", "sha256": "4e641b4ff6b6f35846fe1d66fcc4aa611c357f27f064a62f067df3209e95af79", @@ -4329,10 +4443,10 @@ "version": 1 }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { - "rule_name": "Setuid / Setgid Bit Set via chmod", - "sha256": "9c15ba48b9d09639823c4d9695769a98190668b5a82f91664552b3a1d00134d5", - "type": "query", - "version": 103 + "rule_name": "SUID/SGID Bit Set", + "sha256": "d30b78adc54d39f3c741ae106d085d3b2c772c7bcc6ff6cd5f0431e699ffb069", + "type": "eql", + "version": 104 }, "8a1d4831-3ce6-4859-9891-28931fa6101d": { "rule_name": "Suspicious Execution from a Mounted Device", @@ -4370,9 +4484,9 @@ }, "8b2b3a62-a598-4293-bc14-3d5fa22bb98f": { "rule_name": "Executable File Creation with Multiple Extensions", - "sha256": "bccda8eb5129b06f4f741772f5096f1be5c8365b976b07a61c32e442f9138298", + "sha256": "bd7eef4c8a972ad7be423197abf484709d19760edfa1a3d0bf09725dcfed57d0", "type": "eql", - "version": 108 + "version": 109 }, "8b4f0816-6a65-4630-86a6-c21c179c0d09": { "rule_name": "Enable Host Network Discovery via Netsh", @@ -4526,21 +4640,21 @@ }, "91f02f01-969f-4167-8d77-07827ac4cee0": { "rule_name": "Unusual Web User Agent", - "sha256": "085e5fd9bc868b88d70882d6ff9ad8cd88277bde6a5536d032d204050b191347", + "sha256": "2acbdd0a26677cad2bb141876358cb764775e21d0e209f84d883f66ed4cc509c", "type": "machine_learning", - "version": 103 + "version": 104 }, "91f02f01-969f-4167-8f55-07827ac3acc9": { "rule_name": "Unusual Web Request", - "sha256": "ca0f4d650120d7af5f5c1b882104229c33beac3e20991c9c22403a8a79b89ae1", + "sha256": "974cc349d144864b4b2c7bf8228f2ef15c5942087c8d3b0c220d50909b0b8f71", "type": "machine_learning", - "version": 103 + "version": 104 }, "91f02f01-969f-4167-8f66-07827ac3bdd9": { "rule_name": "DNS Tunneling", - "sha256": "30ea79771106d5283bb2b93e9376e9b56ebb99c37ef021f485fdc2ea17c783ea", + "sha256": "97758f8c16d53ae0d9fd710f22e21664a5e7ac786569e132352b563c0fec69cb", "type": "machine_learning", - "version": 103 + "version": 104 }, "929223b4-fba3-4a1c-a943-ec4716ad23ec": { "rule_name": "GitHub UEBA - Multiple Alerts from a GitHub Account", @@ -4577,10 +4691,11 @@ "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { + "min_stack_version": "8.9", "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", - "sha256": "b0f5b4e396353924df242d69030559c5fd2dab01d092d3573750a4611ce59860", + "sha256": "eccf879f86a18747a6744cb2d0084cf9aef85286bfb2fb37f3302d9f20d3d86c", "type": "query", - "version": 206 + "version": 207 }, "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4": { "rule_name": "Sudoers File Modification", @@ -4636,10 +4751,10 @@ "version": 204 }, "94418745-529f-4259-8d25-a713a6feb6ae": { - "rule_name": "Executable Bit Set for rc.local/rc.common", - "sha256": "7dbae46a5a71705bc609aadd65a6bc77c9d8674e353966fa6c00c152d96f0990", + "rule_name": "Executable Bit Set for Potential Persistence Script", + "sha256": "45b22e6a32cde549ff94fed6e252272ab50f5e930618ac392c419221bc2e7a0b", "type": "eql", - "version": 1 + "version": 2 }, "947827c6-9ed6-4dec-903e-c856c86e72f3": { "rule_name": "Creation of Kernel Module", @@ -4653,6 +4768,13 @@ "type": "eql", "version": 8 }, + "94e734c0-2cda-11ef-84e1-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Multiple Okta User Authentication Events with Client Address", + "sha256": "58ae4c29b8169b66911606add6b41d931703e9b60ab61eeeed2c2199d336378e", + "type": "esql", + "version": 1 + }, "9510add4-3392-11ed-bd01-f661ea17fbce": { "rule_name": "Google Workspace Custom Gmail Route Created or Modified", "sha256": "13c2c8915478dad932a8b2375537e1960622c8dde7a6ac83375802a12c539fe1", @@ -4677,6 +4799,13 @@ "type": "query", "version": 108 }, + "95b99adc-2cda-11ef-84e1-f661ea17fbce": { + "min_stack_version": "8.13", + "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "sha256": "22d8f8f7b3a1f49d8a20f6a8689d8b956724b24cc7694994859ce03c6909068d", + "type": "esql", + "version": 1 + }, "9661ed8b-001c-40dc-a777-0983b7b0c91a": { "rule_name": "Sensitive Keys Or Passwords Searched For Inside A Container", "sha256": "54b3d3c9b093b147b2a9544592815de34c26f37b971ca155743f92fafcd674b9", @@ -4783,9 +4912,9 @@ } }, "rule_name": "Suspicious Zoom Child Process", - "sha256": "ab6c4f09d32014591e2a374947f000d68295f96989a72225b3e4930e37e5bc20", + "sha256": "fdc712e98749caac8f80fb5adc343a38c6b7eed30751ae4cf8616c996a9cf8bc", "type": "eql", - "version": 312 + "version": 313 }, "97da359b-2b61-4a40-b2e4-8fc48cf7a294": { "rule_name": "Linux Restricted Shell Breakout via the ssh command", @@ -4867,9 +4996,9 @@ }, "99dcf974-6587-4f65-9252-d866a3fdfd9c": { "rule_name": "Spike in Failed Logon Events", - "sha256": "1a2c14a7384dc942a3ff18edf7acc8a80867ba7213895616cb80e917fa985a6f", + "sha256": "ca08904de89887f5891bd0f501edc49c036372ce18d12a47f09c6dc211d1e964", "type": "machine_learning", - "version": 104 + "version": 105 }, "9a1a2dae-0b5f-4c3d-8305-a268d404c306": { "rule_name": "Endpoint Security", @@ -5007,9 +5136,9 @@ }, "9d302377-d226-4e12-b54c-1906b5aec4f6": { "rule_name": "Unusual Linux Process Calling the Metadata Service", - "sha256": "a8ec37b93c67426decc04bb1828dece6c21599efba58c2bcbdba4de0db24d7e5", + "sha256": "1c176b99688c3dfffb29f7fd942a5db17890c0e4c8507595266a7ef192f0698c", "type": "machine_learning", - "version": 103 + "version": 104 }, "9f1c4ca3-44b5-481d-ba42-32dc215a2769": { "rule_name": "Potential Protocol Tunneling via EarthWorm", @@ -5177,9 +5306,9 @@ }, "a61809f3-fb5b-465c-8bff-23a8a068ac60": { "rule_name": "Threat Intel Windows Registry Indicator Match", - "sha256": "498e400e2ab211c23df18b38f3485b255be2cf09808ae8221fc1f70ecfd680b6", + "sha256": "911df9a41bce872a7cd60687c487a8d1b6d05ca3e4c2748968cefb7fdc63f3b3", "type": "threat_match", - "version": 6 + "version": 7 }, "a624863f-a70d-417f-a7d2-7a404638d47f": { "rule_name": "Suspicious MS Office Child Process", @@ -5292,9 +5421,9 @@ }, "aab184d3-72b3-4639-b242-6597c99d8bca": { "rule_name": "Threat Intel Hash Indicator Match", - "sha256": "fabef06c8a2e4298330aaf2e04e9c55737a516954c890d808e5d4a901aace9fe", + "sha256": "e1161667047c076c8d8e436e3ce9b940a7089c5cf8587b557f3b3b52119d231a", "type": "threat_match", - "version": 7 + "version": 8 }, "ab75c24b-2502-43a0-bf7c-e60e662c811e": { "rule_name": "Remote Execution via File Shares", @@ -5304,9 +5433,9 @@ }, "abae61a8-c560-4dbd-acca-1e1438bff36b": { "rule_name": "Unusual Windows Process Calling the Metadata Service", - "sha256": "ac1ddf7a6cff4d90ca970314e03ccc69c8b2c416130ed735e10bbaf12458ff51", + "sha256": "e47f2af768f5f8d5ebfcdad5c838efe410a8712405d61d5d3d4786000bd6e676", "type": "machine_learning", - "version": 103 + "version": 104 }, "ac412404-57a5-476f-858f-4e8fbb4f48d8": { "rule_name": "Potential Persistence via Login Hook", @@ -5337,11 +5466,17 @@ "type": "eql", "version": 314 }, + "ac531fcc-1d3b-476d-bbb5-1357728c9a37": { + "rule_name": "Git Hook Created or Modified", + "sha256": "0e054a4d038b07eafcacda1d0db5d03bdcfc365eea986702a69ed4aa816a50fe", + "type": "eql", + "version": 1 + }, "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": { "rule_name": "Unusual AWS Command for a User", - "sha256": "17d74013b573ef431a61391d055df4a9ab5851741a17e466a651c3a1f13efb49", + "sha256": "d63bbd2ad70ae7aa5d8a32e0db1323f15cd754a172e2c47f4cffe36935b2e8ee", "type": "machine_learning", - "version": 208 + "version": 209 }, "ac8805f6-1e08-406c-962e-3937057fa86f": { "rule_name": "Potential Protocol Tunneling via Chisel Server", @@ -5508,9 +5643,9 @@ }, "b240bfb8-26b7-4e5e-924e-218144a3fa71": { "rule_name": "Spike in Network Traffic", - "sha256": "36d61f7dbb342836f5db53ce1a06141cecfee9ba6d09cbb69983df79202257e6", + "sha256": "de46ac771569265cca83a3eb78ca92c48cf3478e0c49d68ffeb12dfeeaeccaf5", "type": "machine_learning", - "version": 103 + "version": 104 }, "b25a7df2-120a-4db2-bd3f-3e4b86b24bee": { "rule_name": "Remote File Copy via TeamViewer", @@ -5532,9 +5667,9 @@ }, "b347b919-665f-4aac-b9e8-68369bf2340c": { "rule_name": "Unusual Linux Username", - "sha256": "fe769843cd4082749444ae077951c9a8e2bfe4d74ba57fd091eacee470975016", + "sha256": "a06f31bcbb968f4b0f7c2b9729c84a695e91e13c34ea63cd6aaedb3ccb06324d", "type": "machine_learning", - "version": 103 + "version": 104 }, "b41a13c6-ba45-4bab-a534-df53d0cfed6a": { "rule_name": "Suspicious Endpoint Security Parent Process", @@ -5625,6 +5760,12 @@ "type": "eql", "version": 1 }, + "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b": { + "rule_name": "Potential Privilege Escalation via Service ImagePath Modification", + "sha256": "8af473db73fdf2cb22badcbf84c85a6ad922b4d8122fe10962a2210d0e73f2d4", + "type": "eql", + "version": 1 + }, "b6dce542-2b75-4ffb-b7d6-38787298ba9d": { "rule_name": "Azure Event Hub Authorization Rule Created or Updated", "sha256": "a4d9380d9e964e50c7845854fa02ca808976bf2d52c4cb73dd90ed4e9439ae09", @@ -5700,9 +5841,9 @@ } }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "5b9416b0c074d30e24badf5a0daa0825766bb7ae7d99b88130f7c0999a392af3", + "sha256": "5fbb8e28328ce0d6b8eb601ed88b02aea94913e0aaac62864d73965cca3ef190", "type": "eql", - "version": 310 + "version": 311 }, "b86afe07-0d98-4738-b15d-8d7465f95ff5": { "rule_name": "Network Connection via MsXsl", @@ -5729,9 +5870,9 @@ } }, "rule_name": "Kirbi File Creation", - "sha256": "001f917502544177abdc78801aa208266c38c099300c58dbb69e62bb88128594", + "sha256": "5f68a51fbff3daf700727004dda7323867ebada906851b39cfff85701f065634", "type": "eql", - "version": 207 + "version": 208 }, "b90cdde7-7e0d-4359-8bf0-2c112ce2008a": { "rule_name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", @@ -5777,9 +5918,9 @@ }, "ba342eb2-583c-439f-b04d-1fdd7c1417cc": { "rule_name": "Unusual Windows Network Activity", - "sha256": "061e957d07cb102889f0ff1a1f4fa80b4f22eeefc5aad74fd2544ccf0852d5ad", + "sha256": "f44147f6949a71b6f2d3d1fce8812830bd011f98dcef007a977d3a50df705d57", "type": "machine_learning", - "version": 103 + "version": 104 }, "ba81c182-4287-489d-af4d-8ae834b06040": { "rule_name": "Kernel Driver Load by non-root User", @@ -6007,9 +6148,9 @@ }, "c28c4d8c-f014-40ef-88b6-79a1d67cd499": { "rule_name": "Unusual Linux Network Connection Discovery", - "sha256": "197e0ebe16417250c895c6ab8ef0894bdebdd8535da44dc8426106a4eb63b02d", + "sha256": "7d982bb13ae1a04e1debe5ea0265e3e5d576b25838f8bd13877d6c5a1b77a681", "type": "machine_learning", - "version": 103 + "version": 104 }, "c292fa52-4115-408a-b897-e14f684b3cb7": { "rule_name": "Persistence via Folder Action Script", @@ -6195,9 +6336,9 @@ }, "c7db5533-ca2a-41f6-a8b0-ee98abe0f573": { "rule_name": "Spike in Network Traffic To a Country", - "sha256": "93087ad72f05b99dd3bc9858cd5edfd5ed9d21a4afa6e01d0d798e78b4e9ab61", + "sha256": "f4b60bfd164d4de31f46f95a825acf02d2de3a0105fbea2b689f27ab7e13639c", "type": "machine_learning", - "version": 104 + "version": 105 }, "c81cefcb-82b9-4408-a533-3c3df549e62d": { "rule_name": "Persistence via Docker Shortcut Modification", @@ -6384,9 +6525,9 @@ }, "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530": { "rule_name": "Anomalous Linux Compiler Activity", - "sha256": "ac7fe1661692762ebf3969e3980d674808ea8cf32e188619fd6e08de268af793", + "sha256": "71e437f699c5d256f96075db61c66ace40b1ed47dd875360db1c99de905bff79", "type": "machine_learning", - "version": 103 + "version": 104 }, "cd66a5af-e34b-4bb0-8931-57d0a043f2ef": { "rule_name": "Kernel Module Removal", @@ -6598,15 +6739,15 @@ }, "d4af3a06-1e0a-48ec-b96a-faf2309fae46": { "rule_name": "Unusual Linux System Information Discovery Activity", - "sha256": "1823af90ab9f82af85f6752bb44ce24df6e0ef1e0722d477f91a55675de28c8f", + "sha256": "a740cf8d2af1163a0caf8571d1fa427c9ffbb89c38d76d67e0c2b0c96f6a6eec", "type": "machine_learning", - "version": 103 + "version": 104 }, "d4b73fa0-9d43-465e-b8bf-50230da6718b": { "rule_name": "Unusual Source IP for a User to Logon from", - "sha256": "b9964a7773745de7f347665b66883623fc60d4e0e4a004d0b7e3b5cd79694041", + "sha256": "52036d5d366833aa7013ae971eb5ed3ed41df8bea6cf821f0e49dbd0a551fa1d", "type": "machine_learning", - "version": 103 + "version": 104 }, "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f": { "rule_name": "Linux init (PID 1) Secret Dump via GDB", @@ -6729,9 +6870,9 @@ }, "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9": { "rule_name": "Spike in Logon Events", - "sha256": "d252490036f46e2d8c44e6c0aec56feb27ef9539cd83c5430534df5a0189a203", + "sha256": "c88f7b8030359f06613e9c7fd1bf60b5c1e8f86f7d7febccd34c7969e1077bbc", "type": "machine_learning", - "version": 103 + "version": 104 }, "d7e62693-aab9-4f66-a21a-3d79ecdd603d": { "rule_name": "SMTP on Port 26/TCP", @@ -6751,6 +6892,12 @@ "type": "query", "version": 209 }, + "d93e61db-82d6-4095-99aa-714988118064": { + "rule_name": "NTDS Dump via Wbadmin", + "sha256": "84e3ebcc0dbbee2d61dda40d2f1a217ec6da8bdd5a345ae29b4efc42a3ba7883", + "type": "eql", + "version": 1 + }, "d99a037b-c8e2-47a5-97b9-170d076827c4": { "rule_name": "Volume Shadow Copy Deletion via PowerShell", "sha256": "32bc4e3bb16d80971b9c8bb068a743e7041477c34017d3fd5a9f1f42ca4873b1", @@ -6837,9 +6984,9 @@ }, "dca28dee-c999-400f-b640-50a081cc0fd1": { "rule_name": "Unusual Country For an AWS Command", - "sha256": "e6e99ee2cb2084337de3331bcf945c7714a1fc79df6bc880c40dcb399e87a561", + "sha256": "c2be81a4e4f052c6da9119dd200e3ab45d5687ef747f79b3a2cef11bb4568d29", "type": "machine_learning", - "version": 208 + "version": 209 }, "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78": { "rule_name": "Suspicious Execution from INET Cache", @@ -6904,9 +7051,9 @@ }, "df197323-72a8-46a9-a08e-3f5b04a4a97a": { "rule_name": "Unusual Windows User Calling the Metadata Service", - "sha256": "d7b5f6ca8779a491a009ef24fa38c89815905e818546c5671f5dc05bd505e3ce", + "sha256": "d5f633c341e7ba95ad81959129723474ae16c829ff3e3182a147b764bacf405e", "type": "machine_learning", - "version": 103 + "version": 104 }, "df26fd74-1baa-4479-b42e-48da84642330": { "rule_name": "Azure Automation Account Created", @@ -7035,9 +7182,9 @@ }, "e26aed74-c816-40d3-a810-48d6fbd8b2fd": { "rule_name": "Spike in Successful Logon Events from a Source IP", - "sha256": "433470a845fb7c68a2d975d0c852935ae2f613397f228fcbc0508dab28be90ff", + "sha256": "0269e018a4255bfb434cd73bd2e52aef757c68e11659366261fa2c8687dc0948", "type": "machine_learning", - "version": 104 + "version": 105 }, "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", @@ -7365,9 +7512,9 @@ }, "eaa77d63-9679-4ce3-be25-3ba8b795e5fa": { "rule_name": "Spike in Firewall Denies", - "sha256": "2b70a5f6f296ce20ca6fb54b48a52c4bb57dec8c35b7dfc9b661509716a7cc0a", + "sha256": "260bc7516505de6ab2ad79dccd957b4dc8c0f76dcbf987df647077cc0ced1f52", "type": "machine_learning", - "version": 103 + "version": 104 }, "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c": { "rule_name": "Suspicious APT Package Manager Network Connection", @@ -7564,9 +7711,9 @@ }, "ef862985-3f13-4262-a686-5f357bbb9bc2": { "rule_name": "Whoami Process Activity", - "sha256": "31ce332f330bc9a1bccdf8f56d0d422431517beafd6fd72a0263e72bf57f2202", + "sha256": "9c2c8cc7096f66d1cccbd876773ab14c54045122e9d6ed221d2182e7f9f4c4c4", "type": "eql", - "version": 111 + "version": 112 }, "ef8cc01c-fc49-4954-a175-98569c646740": { "rule_name": "Potential Data Exfiltration Activity to an Unusual Destination Port", @@ -7706,9 +7853,9 @@ }, "f3e22c8b-ea47-45d1-b502-b57b6de950b3": { "rule_name": "Threat Intel URL Indicator Match", - "sha256": "2e45aadc96febb79204cc0182a5cda5f7b1be5634e47e7c18fc92b429f529471", + "sha256": "cf0a030c5e18e30adb504961ef9b25c02002c86f068800908ed13e0f329267de", "type": "threat_match", - "version": 6 + "version": 7 }, "f41296b4-9975-44d6-9486-514c6f635b2d": { "rule_name": "Potential curl CVE-2023-38545 Exploitation", @@ -7888,9 +8035,9 @@ }, "f9590f47-6bd5-4a49-bd49-a2f886476fb9": { "rule_name": "Unusual Linux Network Configuration Discovery", - "sha256": "4dd687fdbb673c91ffcda22bc2630d7ea3e59cd3af2a796d57bd7077684f6042", + "sha256": "d2f746819d1c581d86f596e696374d72b6b6ef60f9710488f0f34085b80a3e59", "type": "machine_learning", - "version": 104 + "version": 105 }, "f95972d3-c23b-463b-89a8-796b3f369b49": { "rule_name": "Ingress Transfer via Windows BITS", @@ -7963,9 +8110,9 @@ } }, "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "a2061359bd190293621c8e71ff1e35c08834d74f598fc6364b28a74c8af177de", + "sha256": "deebb3f8653613c053c8950cdc1faccaed3b88863584bfe375bab08de94f6b10", "type": "eql", - "version": 211 + "version": 212 }, "fac52c69-2646-4e79-89c0-fd7653461010": { "rule_name": "Potential Disabling of AppArmor", @@ -8015,6 +8162,12 @@ "type": "new_terms", "version": 1 }, + "fcf733d5-7801-4eb0-92ac-8ffacf3658f2": { + "rule_name": "User or Group Creation/Modification", + "sha256": "490363306b4257204e506425c71095a8e6d0d7dacd80b8c9ab0d2896a95eeba1", + "type": "eql", + "version": 1 + }, "fd01b949-81be-46d5-bcf8-284395d5f56d": { "rule_name": "GitHub App Deleted", "sha256": "fd7912580b3ee17ae242b79e0c474ed025239a8690cf03c7095cfb0e32458960", @@ -8078,9 +8231,9 @@ }, "fe794edd-487f-4a90-b285-3ee54f2af2d3": { "rule_name": "Microsoft Windows Defender Tampering", - "sha256": "c033fe9cac3214062e42bdc5f3653c396356866c3f62fea669337f7efa7cf7b6", + "sha256": "3b4caccd62315bfba09e8fc1003d105a3d8246446718aad67d327b284b7e2f97", "type": "eql", - "version": 111 + "version": 112 }, "feafdc51-c575-4ed2-89dd-8e20badc2d6c": { "rule_name": "Potential Masquerading as Business App Installer", @@ -8128,9 +8281,9 @@ }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "rule_name": "LSASS Process Access via Windows API", - "sha256": "45523e08c1b08b3aeb6e316fbfd73c257194c643b9c2d30533a4c05de668ca18", + "sha256": "6b4878af88365170479ac74ad0afcc51029ed6448d58fcb9f720bb70d9f25c45", "type": "eql", - "version": 7 + "version": 8 }, "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": { "rule_name": "Microsoft 365 Exchange Transport Rule Creation", diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 0d324a0f504..55b1ed07b79 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -8,7 +8,7 @@ import gzip import json import re -from collections import OrderedDict +from collections import defaultdict, OrderedDict from pathlib import Path from typing import Generator, List, Tuple, Union, Optional @@ -26,6 +26,7 @@ from .schemas import definitions MANIFEST_FILE_PATH = get_etc_path('integration-manifests.json.gz') +NUM_LATEST_RULE_VERSIONS = 2 SCHEMA_FILE_PATH = get_etc_path('integration-schemas.json.gz') _notified_integrations = set() @@ -412,14 +413,27 @@ def load_integration_assets(self, package_version: Version) -> dict: for x in asset_file_names} return assets - def transform_legacy_assets(self, assets: dict) -> dict: - """Transforms legacy rule assets to historical rules.""" - # this code can be removed after the 8.8 minor release - # epr prebuilt rule packages should have appropriate file names - - assets_transformed = {} - for asset_id, contents in assets.items(): - new_asset_id = f"{contents['attributes']['rule_id']}_{contents['attributes']['version']}" - contents["id"] = new_asset_id - assets_transformed[new_asset_id] = contents - return assets_transformed + def keep_latest_versions(self, assets: dict, num_versions: int = NUM_LATEST_RULE_VERSIONS) -> dict: + """Keeps only the latest N versions of each rule to limit historical rule versions in our release package.""" + + # Dictionary to hold the sorted list of versions for each base rule ID + rule_versions = defaultdict(list) + + # Separate rule ID and version, and group by base rule ID + for key in assets: + base_id, version = key.rsplit('_', 1) + version = int(version) # Convert version to an integer for sorting + rule_versions[base_id].append((version, key)) + + # Dictionary to hold the final assets with only the specified number of latest versions + filtered_assets = {} + + # Keep only the last/latest num_versions versions for each rule + # Sort versions and take the last num_versions + # Add the latest versions of the rule to the filtered assets + for base_id, versions in rule_versions.items(): + latest_versions = sorted(versions, key=lambda x: x[0], reverse=True)[:num_versions] + for _, key in latest_versions: + filtered_assets[key] = assets[key] + + return filtered_assets diff --git a/detection_rules/packaging.py b/detection_rules/packaging.py index bc0884f0cdd..702ecbc28cd 100644 --- a/detection_rules/packaging.py +++ b/detection_rules/packaging.py @@ -251,7 +251,6 @@ def from_config(cls, rule_collection: Optional[RuleCollection] = None, config: O def generate_summary_and_changelog(self, changed_rule_ids, new_rule_ids, removed_rules): """Generate stats on package.""" - from string import ascii_lowercase, ascii_uppercase summary = { 'changed': defaultdict(list), @@ -266,7 +265,7 @@ def generate_summary_and_changelog(self, changed_rule_ids, new_rule_ids, removed 'unchanged': defaultdict(list) } - # build an index map first + # Build an index map first longest_name = 0 indexes = set() for rule in self.rules: @@ -275,8 +274,7 @@ def generate_summary_and_changelog(self, changed_rule_ids, new_rule_ids, removed if index_list: indexes.update(index_list) - letters = ascii_uppercase + ascii_lowercase - index_map = {index: letters[i] for i, index in enumerate(sorted(indexes))} + index_map = {index: str(i) for i, index in enumerate(sorted(indexes))} def get_summary_rule_info(r: TOMLRule): r = r.contents diff --git a/detection_rules/rule.py b/detection_rules/rule.py index bac68c718f0..7ea47e44ac0 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -316,6 +316,9 @@ class Query: @dataclass(frozen=True) class Filter: + """Kibana Filter for Base Rule Data.""" + # TODO: Currently unused in BaseRuleData. Revisit to extend or remove. + # https://github.com/elastic/detection-rules/issues/3773 meta: FilterMeta state: Optional[FilterStateStore] = field(metadata=dict(data_key="$state")) query: Optional[Union[Query, Dict[str, Any]]] = None @@ -349,7 +352,7 @@ class RelatedIntegrations: exceptions_list: Optional[list] license: Optional[str] false_positives: Optional[List[str]] - filters: Optional[List[Filter]] + filters: Optional[List[dict]] # trailing `_` required since `from` is a reserved word in python from_: Optional[str] = field(metadata=dict(data_key="from")) interval: Optional[definitions.Interval] diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 3bb875d3c53..39f42022c83 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -40,7 +40,9 @@ 'network_traffic', 'system', 'windows', - 'sentinel_one_cloud_funnel'] + 'sentinel_one_cloud_funnel', + 'ti_rapid7_threat_command', + 'm365_defender'] NON_PUBLIC_FIELDS = { "related_integrations": (Version.parse('8.3.0'), None), "required_fields": (Version.parse('8.3.0'), None), diff --git a/hunting/generate_markdown.py b/hunting/generate_markdown.py index f71faec5880..fa5dad3b35e 100644 --- a/hunting/generate_markdown.py +++ b/hunting/generate_markdown.py @@ -28,12 +28,13 @@ class Hunt: """Dataclass to represent a hunt.""" author: str + description: str integration: list[str] uuid: str name: str language: str license: str - query: str + query: list[str] notes: Optional[List[str]] = field(default_factory=list) mitre: Optional[List[str]] = field(default_factory=list) references: Optional[List[str]] = field(default_factory=list) @@ -81,11 +82,13 @@ def convert_toml_to_markdown(hunt_config: Hunt, file_path: Path) -> str: markdown = f"# {hunt_config.name}\n\n---\n\n" markdown += "## Metadata\n\n" markdown += f"- **Author:** {hunt_config.author}\n" + markdown += f"- **Description:** {hunt_config.description}\n" markdown += f"- **UUID:** `{hunt_config.uuid}`\n" markdown += f"- **Integration:** {", ".join(generate_integration_links(hunt_config.integration))}\n" markdown += f"- **Language:** `{hunt_config.language}`\n\n" markdown += "## Query\n\n" - markdown += f"```sql\n{hunt_config.query}```\n\n" + for query in hunt_config.query: + markdown += f"```sql\n{query}```\n\n" if hunt_config.notes: markdown += "## Notes\n\n" + "\n".join(f"- {note}" for note in hunt_config.notes) diff --git a/hunting/index.md b/hunting/index.md index eb6207e4337..33bb3d17c8b 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -3,9 +3,9 @@ Here are the queries currently available: ## llm -- [Denial of Service or Resource Exhaustion Attacks Detection](./llm/docs/llm_dos_resource_exhaustion_detection.md) (ES|QL) -- [Monitoring for Latency Anomalies](./llm/docs/llm_latency_anomalies_detection.md) (ES|QL) -- [Sensitive Content Refusal Detection](./llm/docs/llm_sensitive_content_refusal_detection.md) (ES|QL) +- [AWS Bedrock LLM Denial-of-Service or Resource Exhaustion](./llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md) (ES|QL) +- [AWS Bedrock LLM Latency Anomalies](./llm/docs/aws_bedrock_latency_anomalies_detection.md) (ES|QL) +- [AWS Bedrock LLM Sensitive Content Refusals](./llm/docs/aws_bedrock_sensitive_content_refusal_detection.md) (ES|QL) ## macos @@ -13,55 +13,36 @@ Here are the queries currently available: ## windows -- [CreateRemoteThread by source process with low occurrence](./windows/docs/createremotethread_by_source_process_with_low_occurrence.md) (ES|QL) -- [Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Elastic Defend](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md) (ES|QL) -- [Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Sysmon](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md) (ES|QL) -- [Detect masquerading attempts as native Windows binaries](./windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md) (ES|QL) -- [Detect Rare DLL SideLoad by Occurrence - Elastic Defend](./windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md) (ES|QL) -- [Detect Rare DLL SideLoad by Occurrence - Sysmon](./windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md) (ES|QL) -- [Detect Rare LSASS Process Access Attempts - Elastic Defend](./windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md) (ES|QL) -- [Detect Rare LSASS Process Access Attempts - Sysmon](./windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md) (ES|QL) -- [Doamin Names queries via Lolbins and with low occurence frequency](./windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL) -- [Drivers Load with low occurrence frequency - Elastic Defend](./windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md) (ES|QL) -- [Drivers Load with low occurrence frequency - Sysmon](./windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md) (ES|QL) -- [Drivers Load with low occurrence frequency - Windows 7045](./windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md) (ES|QL) -- [Excessive RDP Network Activity by Source Host and User- Elastic Defend - Sysmon](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md) (ES|QL) -- [Excessive RDP Network Activity by Source Host - Elastic Defend - Sysmon](./windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md) (ES|QL) -- [Excessive SMB Network Activity by process Id](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL) -- [Executable File creation by an Unusual Microsoft Binary - Elastic Defend](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md) (ES|QL) -- [Executable File creation by an Unusual Microsoft Binary - Sysmon](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md) (ES|QL) -- [Execution via Network Logon by occurrence frequency](./windows/docs/execution_via_network_logon_by_occurrence_frequency.md) (ES|QL) -- [Execution via Network Logon by occurrence frequency by top Source IP](./windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md) (ES|QL) +- [Low Occurrence Rate of CreateRemoteThread by Source Process](./windows/docs/createremotethread_by_source_process_with_low_occurrence.md) (ES|QL) +- [DLL Hijack via Masquerading as Microsoft Native Libraries](./windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md) (ES|QL) +- [Masquerading Attempts as Native Windows Binaries](./windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md) (ES|QL) +- [Rare DLL Side-Loading by Occurrence](./windows/docs/detect_rare_dll_sideload_by_occurrence.md) (ES|QL) +- [Rare LSASS Process Access Attempts](./windows/docs/detect_rare_lsass_process_access_attempts.md) (ES|QL) +- [DNS Queries via LOLBins with Low Occurence Frequency](./windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md) (ES|QL) +- [Low Occurrence of Drivers Loaded on Unique Hosts](./windows/docs/drivers_load_with_low_occurrence_frequency.md) (ES|QL) +- [Excessive RDP Network Activity by Host and User](./windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md) (ES|QL) +- [Excessive SMB Network Activity by Process ID](./windows/docs/excessive_smb_network_activity_by_process_id.md) (ES|QL) +- [Executable File Creation by an Unusual Microsoft Binary](./windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md) (ES|QL) +- [Frequency of Process Execution via Network Logon by Source Address](./windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md) (ES|QL) - [Execution via Remote Services by Client Address](./windows/docs/execution_via_remote_services_by_client_address.md) (ES|QL) -- [Execution via Startup with low occurrence frequency](./windows/docs/execution_via_startup_with_low_occurrence_frequency.md) (ES|QL) -- [Execution via Windows Management Instrumentation by occurrence frequency by Unique Agent - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md) (ES|QL) -- [Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md) (ES|QL) -- [Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - Windows Security](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md) (ES|QL) -- [Execution via Windows Scheduled Task with low occurrence frequency](./windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md) (ES|QL) -- [Execution via Windows Services with low occurrence frequency - Elastic Defend - Sysmon](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md) (ES|QL) -- [Execution via Windows Services with low occurrence frequency - Windows Security](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md) (ES|QL) -- [High count of network connection over extended period by process - Elastic Defend Network](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md) (ES|QL) -- [High count of network connection over extended period by process - Elastic Defend Network - Sysmon](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md) (ES|QL) -- [High count of network connection over extended period by process - Elastic Defend - Sysmon](./windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md) (ES|QL) -- [Libraries loaded by svchost with low occurrence frequency - Elastic Defend](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md) (ES|QL) -- [Libraries loaded by svchost with low occurrence frequency - Sysmon](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md) (ES|QL) -- [Microsoft Office Child Processes with low occurrence frequency](./windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md) (ES|QL) -- [Network Discovery via sensitive ports by unusual process](./windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md) (ES|QL) -- [PE File Transfer via SMB_Admin Shares by Agent](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md) (ES|QL) -- [PE File Transfer via SMB_Admin Shares by User](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md) (ES|QL) -- [Persistence via Run Key with low occurrence frequency - Elastic Defend](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md) (ES|QL) -- [Persistence via Run Key with low occurrence frequency - Sysmon](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md) (ES|QL) -- [Persistence via Startup with low occurrence frequency](./windows/docs/persistence_via_startup_with_low_occurrence_frequency.md) (ES|QL) -- [Persistence via Suspicious Launch Agent or Launch Daemon with low occurrence](./windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md) (ES|QL) -- [Potential Exfiltration by process total egress bytes](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL) -- [Rundll32 execution aggregated by cmdline](./windows/docs/rundll32_execution_aggregated_by_cmdline.md) (ES|QL) -- [Scheduled tasks creation by action via registry](./windows/docs/scheduled_task_creation_by_action_via_registry.md) (ES|QL) -- [Scheduled tasks creation with low occurrence frequency](./windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md) (ES|QL) -- [Suspicious Base64 Encoded PowerShell Command](./windows/docs/suspicious_base64_encoded_powershell_commands.md) (ES|QL) -- [Suspicious DNS TXT Record lookups by process](./windows/docs/suspicious_dns_txt_record_lookups_by_process.md) (ES|QL) -- [Unique Windows Services Creation by ServiceFileName - Elastic Defend Registry - Sysmon](./windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md) (ES|QL) -- [Unique Windows Services Creation by ServiceFileName - Elastic Defend - Sysmon Registry](./windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md) (ES|QL) -- [Unique Windows Services Creation by ServiceFileName - Windows Security 4697](./windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md) (ES|QL) -- [Unique Windows Services Creation by ServiceFileName - Windows Security 7045](./windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md) (ES|QL) -- [Windows Command and Scripting Interpreter from unusual parent](./windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md) (ES|QL) -- [Windows logon activity by source IP](./windows/docs/windows_logon_activity_by_source_ip.md) (ES|QL) +- [Startup Execution with Low Occurrence Frequency by Unique Host](./windows/docs/execution_via_startup_with_low_occurrence_frequency.md) (ES|QL) +- [Low Frequency of Process Execution via WMI by Unique Agent](./windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md) (ES|QL) +- [Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent](./windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md) (ES|QL) +- [Low Occurence of Process Execution via Windows Services with Unique Agent](./windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md) (ES|QL) +- [High Count of Network Connection Over Extended Period by Process](./windows/docs/high_count_of_network_connection_over_extended_period_by_process.md) (ES|QL) +- [Libraries Loaded by svchost with Low Occurrence Frequency](./windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md) (ES|QL) +- [Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent](./windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md) (ES|QL) +- [Network Discovery via Sensitive Ports by Unusual Process](./windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md) (ES|QL) +- [PE File Transfer via SMB_Admin Shares by Agent or User](./windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md) (ES|QL) +- [Persistence via Run Key with Low Occurrence Frequency](./windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md) (ES|QL) +- [Persistence via Startup with Low Occurrence Frequency by Unique Host](./windows/docs/persistence_via_startup_with_low_occurrence_frequency.md) (ES|QL) +- [Low Occurrence of Suspicious Launch Agent or Launch Daemon](./windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md) (ES|QL) +- [Egress Network Connections with Total Bytes Greater than Threshold](./windows/docs/potential_exfiltration_by_process_total_egress_bytes.md) (ES|QL) +- [Rundll32 Execution Aggregated by Command Line](./windows/docs/rundll32_execution_aggregated_by_cmdline.md) (ES|QL) +- [Scheduled tasks Creation by Action via Registry](./windows/docs/scheduled_task_creation_by_action_via_registry.md) (ES|QL) +- [Scheduled Tasks Creation for Unique Hosts by Task Command](./windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md) (ES|QL) +- [Suspicious Base64 Encoded Powershell Command](./windows/docs/suspicious_base64_encoded_powershell_commands.md) (ES|QL) +- [Suspicious DNS TXT Record Lookups by Process](./windows/docs/suspicious_dns_txt_record_lookups_by_process.md) (ES|QL) +- [Unique Windows Services Creation by Service File Name](./windows/docs/unique_windows_services_creation_by_servicefilename.md) (ES|QL) +- [Windows Command and Scripting Interpreter from Unusual Parent Process](./windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md) (ES|QL) +- [Windows Logon Activity by Source IP](./windows/docs/windows_logon_activity_by_source_ip.md) (ES|QL) diff --git a/hunting/llm/docs/llm_dos_resource_exhaustion_detection.md b/hunting/llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md similarity index 79% rename from hunting/llm/docs/llm_dos_resource_exhaustion_detection.md rename to hunting/llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md index fd01b23659d..0f373c33cbb 100644 --- a/hunting/llm/docs/llm_dos_resource_exhaustion_detection.md +++ b/hunting/llm/docs/aws_bedrock_dos_resource_exhaustion_detection.md @@ -1,10 +1,12 @@ -# Denial of Service or Resource Exhaustion Attacks Detection +# AWS Bedrock LLM Denial-of-Service or Resource Exhaustion --- ## Metadata - **Author:** Elastic +- **Description:** This hunting query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks. + - **UUID:** `dc181967-c32c-46c9-b84b-ec4c8811c6a0` - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock) - **Language:** `ES|QL` @@ -29,7 +31,6 @@ from logs-aws_bedrock.invocation-* ## Notes -- This query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks. - Consider reviewing the context of high token requests to differentiate between legitimate heavy usage and potential abuse. Monitor the source of requests and patterns over time for better assessment. - Ensure logging and monitoring are correctly configured to capture detailed metrics on token usage. This will facilitate accurate detection and allow for a quick response to potential threats. - Collect evidence from logs that detail the timestamp, user ID, session information, and token counts for incidents flagged by this analytic. This information will be crucial for forensic analysis in the event of a security incident. @@ -40,7 +41,7 @@ from logs-aws_bedrock.invocation-* - https://www.elastic.co/security-labs/elastic-advances-llm-security - https://owasp.org/www-project-top-10-for-large-language-model-applications/ -- [Denial of Service or Resource Exhaustion Attacks Detection](../queries/llm_dos_resource_exhaustion_detection.toml) +- [AWS Bedrock LLM Denial-of-Service or Resource Exhaustion](../queries/aws_bedrock_dos_resource_exhaustion_detection.toml) ## License diff --git a/hunting/llm/docs/llm_latency_anomalies_detection.md b/hunting/llm/docs/aws_bedrock_latency_anomalies_detection.md similarity index 80% rename from hunting/llm/docs/llm_latency_anomalies_detection.md rename to hunting/llm/docs/aws_bedrock_latency_anomalies_detection.md index 5073e1e3000..8c3c9b791a7 100644 --- a/hunting/llm/docs/llm_latency_anomalies_detection.md +++ b/hunting/llm/docs/aws_bedrock_latency_anomalies_detection.md @@ -1,10 +1,12 @@ -# Monitoring for Latency Anomalies +# AWS Bedrock LLM Latency Anomalies --- ## Metadata - **Author:** Elastic +- **Description:** This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies. + - **UUID:** `3708787b-811b-43b1-b2e7-c7276b8db48c` - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock) - **Language:** `ES|QL` @@ -24,7 +26,6 @@ from logs-aws_bedrock.invocation-* ## Notes -- This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies. - Review the incidents flagged by this analytic to understand the context and potential sources of latency. This can include network configurations, resource allocation, or external network pressures. - Effective logging and monitoring setup are essential to capture relevant latency metrics accurately. Ensure system clocks and time syncing are properly configured to avoid false positives. - Gather comprehensive logs that detail the request and response timestamps, user IDs, and session details for thorough investigation and evidence collection in case of security incidents. @@ -35,7 +36,7 @@ from logs-aws_bedrock.invocation-* - https://www.elastic.co/security-labs/elastic-advances-llm-security - https://owasp.org/www-project-top-10-for-large-language-model-applications/ -- [Monitoring for Latency Anomalies](../queries/llm_latency_anomalies_detection.toml) +- [AWS Bedrock LLM Latency Anomalies](../queries/aws_bedrock_latency_anomalies_detection.toml) ## License diff --git a/hunting/llm/docs/llm_sensitive_content_refusal_detection.md b/hunting/llm/docs/aws_bedrock_sensitive_content_refusal_detection.md similarity index 78% rename from hunting/llm/docs/llm_sensitive_content_refusal_detection.md rename to hunting/llm/docs/aws_bedrock_sensitive_content_refusal_detection.md index b828a10a922..4def0245222 100644 --- a/hunting/llm/docs/llm_sensitive_content_refusal_detection.md +++ b/hunting/llm/docs/aws_bedrock_sensitive_content_refusal_detection.md @@ -1,10 +1,11 @@ -# Sensitive Content Refusal Detection +# AWS Bedrock LLM Sensitive Content Refusals --- ## Metadata - **Author:** Elastic +- **Description:** This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards. - **UUID:** `8fabae86-7ed2-4006-9623-5db28164f374` - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock) - **Language:** `ES|QL` @@ -24,7 +25,6 @@ from logs-aws_bedrock.invocation-* ## Notes -- This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards. - Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent or probing of model boundaries. - Regularly review and update the phrases that trigger refusals to adapt to new ethical guidelines and compliance requirements. - Ensure that data logs contain enough detail to provide context around the refusal, which will aid in subsequent investigations by security teams. @@ -35,7 +35,7 @@ from logs-aws_bedrock.invocation-* - https://www.elastic.co/security-labs/elastic-advances-llm-security - https://owasp.org/www-project-top-10-for-large-language-model-applications/ -- [Sensitive Content Refusal Detection](../queries/llm_sensitive_content_refusal_detection.toml) +- [AWS Bedrock LLM Sensitive Content Refusals](../queries/aws_bedrock_sensitive_content_refusal_detection.toml) ## License diff --git a/hunting/llm/queries/llm_dos_resource_exhaustion_detection.toml b/hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml similarity index 82% rename from hunting/llm/queries/llm_dos_resource_exhaustion_detection.toml rename to hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml index 8e693d42f26..1288ca5f0a5 100644 --- a/hunting/llm/queries/llm_dos_resource_exhaustion_detection.toml +++ b/hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml @@ -1,11 +1,15 @@ [hunt] author = "Elastic" +description = """ +This hunting query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks. +""" integration = ["aws_bedrock.invocation"] uuid = "dc181967-c32c-46c9-b84b-ec4c8811c6a0" -name = "Denial of Service or Resource Exhaustion Attacks Detection" +name = "AWS Bedrock LLM Denial-of-Service or Resource Exhaustion" language = "ES|QL" license = "Elastic License v2" -query = ''' +query = [ +''' from logs-aws_bedrock.invocation-* | WHERE @timestamp > NOW() - 1 DAY AND ( @@ -20,8 +24,8 @@ from logs-aws_bedrock.invocation-* | WHERE request_count > 1 | SORT max_prompt_tokens, max_request_tokens, max_completion_tokens DESC ''' +] notes = [ - "This query identifies unusual spikes in token usage that may indicate malicious attempts to disrupt services. High token usage can strain system resources and degrade performance, aligning with tactics observed in DoS attacks.", "Consider reviewing the context of high token requests to differentiate between legitimate heavy usage and potential abuse. Monitor the source of requests and patterns over time for better assessment.", "Ensure logging and monitoring are correctly configured to capture detailed metrics on token usage. This will facilitate accurate detection and allow for a quick response to potential threats.", "Collect evidence from logs that detail the timestamp, user ID, session information, and token counts for incidents flagged by this analytic. This information will be crucial for forensic analysis in the event of a security incident." diff --git a/hunting/llm/queries/llm_latency_anomalies_detection.toml b/hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml similarity index 82% rename from hunting/llm/queries/llm_latency_anomalies_detection.toml rename to hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml index 96e3253cbb4..52ef8b35674 100644 --- a/hunting/llm/queries/llm_latency_anomalies_detection.toml +++ b/hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml @@ -1,11 +1,15 @@ [hunt] author = "Elastic" +description = """ +This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies. +""" integration = ["aws_bedrock.invocation"] uuid = "3708787b-811b-43b1-b2e7-c7276b8db48c" -name = "Monitoring for Latency Anomalies" +name = "AWS Bedrock LLM Latency Anomalies" language = "ES|QL" license = "Elastic License v2" -query = ''' +query = [ +''' from logs-aws_bedrock.invocation-* | WHERE @timestamp > NOW() - 1 DAY | EVAL response_delay_seconds = gen_ai.performance.start_response_time / 1000 @@ -15,8 +19,8 @@ from logs-aws_bedrock.invocation-* | WHERE request_count > 3 | SORT max_response_delay DESC ''' +] notes = [ - "This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies.", "Review the incidents flagged by this analytic to understand the context and potential sources of latency. This can include network configurations, resource allocation, or external network pressures.", "Effective logging and monitoring setup are essential to capture relevant latency metrics accurately. Ensure system clocks and time syncing are properly configured to avoid false positives.", "Gather comprehensive logs that detail the request and response timestamps, user IDs, and session details for thorough investigation and evidence collection in case of security incidents." diff --git a/hunting/llm/queries/llm_sensitive_content_refusal_detection.toml b/hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml similarity index 82% rename from hunting/llm/queries/llm_sensitive_content_refusal_detection.toml rename to hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml index 535f8879c54..ed5c16deca7 100644 --- a/hunting/llm/queries/llm_sensitive_content_refusal_detection.toml +++ b/hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml @@ -1,11 +1,13 @@ [hunt] author = "Elastic" +description = "This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards." integration = ["aws_bedrock.invocation"] uuid = "8fabae86-7ed2-4006-9623-5db28164f374" -name = "Sensitive Content Refusal Detection" +name = "AWS Bedrock LLM Sensitive Content Refusals" language = "ES|QL" license = "Elastic License v2" -query = ''' +query = [ +''' from logs-aws_bedrock.invocation-* | WHERE @timestamp > NOW() - 1 DAY AND ( @@ -15,8 +17,8 @@ from logs-aws_bedrock.invocation-* | STATS user_request_count = count() BY gen_ai.user.id | WHERE user_request_count >= 3 ''' +] notes = [ - "This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards.", "Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent or probing of model boundaries.", "Regularly review and update the phrases that trigger refusals to adapt to new ethical guidelines and compliance requirements.", "Ensure that data logs contain enough detail to provide context around the refusal, which will aid in subsequent investigations by security teams." diff --git a/hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md b/hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md index 9d689608af4..1296c555893 100644 --- a/hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md +++ b/hunting/macos/docs/suspicious_network_connections_by_unsigned_macho.md @@ -5,6 +5,8 @@ ## Metadata - **Author:** Elastic +- **Description:** This hunt aggregates by process ID and destination IP by the number of connections per hour over a period of time greater than a defined threshold. This may indicate suspicious network connections by unsigned Mach-O binaries. + - **UUID:** `44aff0e3-e0d7-4dca-a94f-2dd0b96f18bd` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -14,8 +16,8 @@ ```sql from logs-endpoint.events.network-* | where @timestamp > now() - 7 day -| where host.os.family == "macos" and event.category == "network" and - (process.code_signature.exists == false or process.code_signature.trusted != true) and +| where host.os.family == "macos" and event.category == "network" and + (process.code_signature.exists == false or process.code_signature.trusted != true) and /* excluding private IP ranges */ not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") | keep source.bytes, destination.address, process.name, process.entity_id, @timestamp @@ -29,8 +31,8 @@ from logs-endpoint.events.network-* ## Notes -- This hunt aggregates by process ID and destination IP the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process. -- Hunt can be extended by adding suspicious process paths or lolbins. +- This hunt returns a list of processes by entity_id and name that have a high number of connections per hour over a period of time greater than a defined threshold. +- Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.). ## MITRE ATT&CK Techniques - [T1071](https://attack.mitre.org/techniques/T1071) diff --git a/hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml b/hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml index b8987070cd7..1335175eb9c 100644 --- a/hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml +++ b/hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml @@ -1,20 +1,24 @@ [hunt] author = "Elastic" +description = """ +This hunt aggregates by process ID and destination IP by the number of connections per hour over a period of time greater than a defined threshold. This may indicate suspicious network connections by unsigned Mach-O binaries. +""" integration = ["endpoint"] uuid = "44aff0e3-e0d7-4dca-a94f-2dd0b96f18bd" name = "Suspicious Network Connections by Unsigned Mach-O" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt aggregates by process ID and destination IP the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process.", "Hunt can be extended by adding suspicious process paths or lolbins.", + "This hunt returns a list of processes by entity_id and name that have a high number of connections per hour over a period of time greater than a defined threshold.", + "Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.).", ] mitre = ["T1071"] - -query = ''' +query = [ +''' from logs-endpoint.events.network-* | where @timestamp > now() - 7 day -| where host.os.family == "macos" and event.category == "network" and - (process.code_signature.exists == false or process.code_signature.trusted != true) and +| where host.os.family == "macos" and event.category == "network" and + (process.code_signature.exists == false or process.code_signature.trusted != true) and /* excluding private IP ranges */ not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") | keep source.bytes, destination.address, process.name, process.entity_id, @timestamp @@ -24,4 +28,5 @@ from logs-endpoint.events.network-* | keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour /* threshold is set to 120 connections per minute, you can adjust it to your env/FP rate */ | where duration_hours >= 8 and number_of_con_per_hour >= 120 -''' \ No newline at end of file +''' +] diff --git a/hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md b/hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md index ed7e810f929..f2972c3a436 100644 --- a/hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md +++ b/hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md @@ -1,10 +1,11 @@ -# CreateRemoteThread by source process with low occurrence +# Low Occurrence Rate of CreateRemoteThread by Source Process --- ## Metadata - **Author:** Elastic +- **Description:** This hunt attempts to identify remote process injection by aggregating Sysmon `CreateRemoteThread` events by source process and returns the ones that we observed in only one unique host. - **UUID:** `0545f23f-84a7-4b88-9b5b-b8cfcfdc9276` - **Integration:** [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -12,7 +13,7 @@ ## Query ```sql -from logs-windows.sysmon_operational-* +from logs-windows.sysmon_operational-* | where @timestamp > now() - 7 day | where host.os.family == "windows" and event.category == "process" and event.action == "CreateRemoteThread" | eval source_process = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") @@ -23,8 +24,7 @@ from logs-windows.sysmon_operational-* ## Notes -- This hunt aggregates Sysmon CreateRemoteThread events by source process and returns the ones that we observed in only one unique host. This may indicate remote process injection. -- Adding winlog.event_data.TargetImage to the group by clause can be beneficial but may introduce more legit hits. +- Adding `winlog.event_data.TargetImage` to the aggregation clause can be beneficial but may introduce more false-positives. ## MITRE ATT&CK Techniques - [T1055](https://attack.mitre.org/techniques/T1055) diff --git a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md b/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md new file mode 100644 index 00000000000..554a41cdbd4 --- /dev/null +++ b/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md @@ -0,0 +1,62 @@ +# DLL Hijack via Masquerading as Microsoft Native Libraries + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies when a process loads a DLL normally located in `System32` or `SysWOW64` folders from an unusual path. Adversaries may execute their own malicious payloads by side-loading malicious DLLs. The host count also should help exclude false-positives by looking at low occurrences when this abnormal behavior is limited to unique agents. +- **UUID:** `87c97865-fdaa-48b2-bfa6-67bed7cf56ef` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and + not dll.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| keep dll.name, dll.path, dll.hash.sha256, process.executable, host.id + /* steps how to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c */ +| ENRICH libs-policy-defend + /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ +| where native == "yes" and not starts_with(dll.path, "C:\\Windows\\assembly\\NativeImages") + /* normalize paths by removing random patterns */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), + dll_path = replace(dll.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats host_count = count_distinct(host.id) by dll.name, dll_path, process_path, dll.hash.sha256 +| sort host_count asc +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and + not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| keep file.name, file.path, file.hash.sha256, process.executable, host.id + /* steps to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c - just replace dll by file */ +| ENRICH libs-policy-sysmon + /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ +| where native == "yes" and not starts_with(file.path, "C:\\Windows\\assembly\\NativeImages") + /* normalize paths by removing random patterns */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), + dll_path = replace(file.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats host_count = count_distinct(host.id) by file.name, dll_path, process_path, file.hash.sha256 +| sort host_count asc +``` + +## Notes + +- This hunt has two optional queries, one for Elastic Defend data and another for Sysmon data. +- This hunt requires the creation of an [enrichment policy](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-enrich-data.html) to use with the ES|QL (ENRICH command). +- The `dll.hash.sha256` field can be used to pivot and further investigate the DLL origin and purpose. +- Paths like `C:\Users\Public and C:\ProgramData\` are often observed in malware employing DLL side-loading. +## MITRE ATT&CK Techniques + +- [T1574](https://attack.mitre.org/techniques/T1574) +- [T1574.001](https://attack.mitre.org/techniques/T1574/001) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md b/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md deleted file mode 100644 index c145a5cd474..00000000000 --- a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.md +++ /dev/null @@ -1,43 +0,0 @@ -# Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `87c97865-fdaa-48b2-bfa6-67bed7cf56ef` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and - not dll.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| keep dll.name, dll.path, dll.hash.sha256, process.executable, host.id - /* steps how to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c */ -| ENRICH libs-policy-defend - /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ -| where native == "yes" and not starts_with(dll.path, "C:\\Windows\\assembly\\NativeImages") - /* normalize paths by removing random patterns */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), - dll_path = replace(dll.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats host_count = count_distinct(host.id) by dll.name, dll_path, process_path, dll.hash.sha256 -| sort host_count asc -``` - -## Notes - -- This hunt require the creation of an enrichment policy to use with the ES|QL (ENRICH command). -- The `dll.hash.sha256` field can be used to pivot and further investigate the DLL origin and purpose. -- Paths like C:\Users\Public and C:\ProgramData\ are often observed in malware employing DLL side-loading. -## MITRE ATT&CK Techniques - -- [T1574](https://attack.mitre.org/techniques/T1574) -- [T1574.001](https://attack.mitre.org/techniques/T1574/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md b/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md deleted file mode 100644 index eea9bcfc381..00000000000 --- a/hunting/windows/docs/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.md +++ /dev/null @@ -1,44 +0,0 @@ -# Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `68314691-1460-4ac5-ae0d-6b3514e43254` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and - not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| keep file.name, file.path, file.hash.sha256, process.executable, host.id - /* steps to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c - just replace dll by file */ -| ENRICH libs-policy-sysmon - /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ -| where native == "yes" and not starts_with(file.path, "C:\\Windows\\assembly\\NativeImages") - /* normalize paths by removing random patterns */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), - dll_path = replace(file.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats host_count = count_distinct(host.id) by file.name, dll_path, process_path, file.hash.sha256 -| sort host_count asc -``` - -## Notes - -- This hunt require the creation of an enrichment policy to use with the ES|QL (ENRICH command). -- Using dll.hash.sha256 for Elastic Defend or file.hash.sha256 for Sysmon you can pivot to further investigate the DLL origin and purpose. -- Paths like C:\Users\Public and C:\ProgramData\ are often observed in malware employing DLL side-loading. -- Process code signature information is not captured in Sysmon Image Load Events (not present in the ES|QL hunt). -## MITRE ATT&CK Techniques - -- [T1574](https://attack.mitre.org/techniques/T1574) -- [T1574.001](https://attack.mitre.org/techniques/T1574/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md b/hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md index 88ce8654b4c..0060613108e 100644 --- a/hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md +++ b/hunting/windows/docs/detect_masquerading_attempts_as_native_windows_binaries.md @@ -1,10 +1,11 @@ -# Detect masquerading attempts as native Windows binaries +# Masquerading Attempts as Native Windows Binaries --- ## Metadata - **Author:** Elastic +- **Description:** This hunt detects processes named as legit Microsoft native binaries located in the system32 folder. Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. - **UUID:** `93a72542-a1f7-4407-9175-8f066343db60` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -27,8 +28,8 @@ from logs-endpoint.events.process-* ## Notes -- Output of the query is the process.name and host.id, you can pivot by host.id and process.name(non Microsoft signed) to find the specific suspicious instances. -- Potential false positives include processes with missing code signature details due to enrichment bugs. +- Output of the query is the `process.name` and `host.id` where you can pivot by `host.id` and `process.name` (non Microsoft signed) to find the specific suspicious instances. +- Potential false-positives include processes with missing code signature details due to enrichment bugs. - The queried index must capture process start events with code signature information (e.g. Windows event 4688 is not supported). ## MITRE ATT&CK Techniques diff --git a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence.md b/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence.md new file mode 100644 index 00000000000..af1dc7fbfcd --- /dev/null +++ b/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence.md @@ -0,0 +1,58 @@ +# Rare DLL Side-Loading by Occurrence + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies instances where a signed Windows process attempts to load an unsigned DLL from the same process folder. Matches are limited to a unique host with low library load occurrence. Adversaries may execute their own malicious payloads by side-loading malicious DLLs. +- **UUID:** `bcdb7c29-1312-4974-8f2e-10ddeb09cf5c` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and dll.Ext.relative_file_creation_time <= 86400 +| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) +| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) +| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and process.name != dll.name +| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") +| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, dll.name, process.name, dll.hash.sha256 +/* total_count can be adjusted to higher or lower values depending on env */ +| where host_count == 1 and total_count <= 10 | keep total_count, host_count, dll_folder, dll.name, process.name, dll.hash.sha256 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and + not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) +| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) +| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and file.name != process.name +/* paths normalization by removing random patterns */ +| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") +| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, file.name, process.name, file.hash.sha256 +/* total_count can be adjusted to higher or lower values depending on env */ +| where host_count == 1 and total_count <= 10 +| keep total_count, host_count, dll_folder, file.name, process.name, file.hash.sha256 +``` + +## Notes + +- This hunt has two optional queries, one for Elastic Defend data and another for Sysmon data. +- Based on the returned results you can further investigate suspicious DLLs by sha256 and library path. +- Paths like `C:\\Users\\Public` and `C:\\ProgramData\\` are often observed in malware employing DLL side-loading. +- Elastic Defned DLL Events include `dll.Ext.relative_file_creation_time` which help us limit the hunt to recently dropped DLLs. +## MITRE ATT&CK Techniques + +- [T1574](https://attack.mitre.org/techniques/T1574) +- [T1574.002](https://attack.mitre.org/techniques/T1574/002) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md b/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md deleted file mode 100644 index eed842ad621..00000000000 --- a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_elastic_defend.md +++ /dev/null @@ -1,40 +0,0 @@ -# Detect Rare DLL SideLoad by Occurrence - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `bcdb7c29-1312-4974-8f2e-10ddeb09cf5c` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and dll.Ext.relative_file_creation_time <= 86400 -| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) -| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) -| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and process.name != dll.name -| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") -| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, dll.name, process.name, dll.hash.sha256 -/* total_count can be adjusted to higher or lower values depending on env */ -| where host_count == 1 and total_count <= 10 | keep total_count, host_count, dll_folder, dll.name, process.name, dll.hash.sha256 -``` - -## Notes - -- Based on the returned results you can further investigate suspicious DLLs by sha256 and library path. -- Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading. -- Elastic Defned DLL Events include dll.Ext.relative_file_creation_time which help us limit the hunt to recently dropped DLLs. -## MITRE ATT&CK Techniques - -- [T1574](https://attack.mitre.org/techniques/T1574) -- [T1574.002](https://attack.mitre.org/techniques/T1574/002) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md b/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md deleted file mode 100644 index 6056a0cc5cd..00000000000 --- a/hunting/windows/docs/detect_rare_dll_sideload_by_occurrence_sysmon.md +++ /dev/null @@ -1,42 +0,0 @@ -# Detect Rare DLL SideLoad by Occurrence - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `0df1e142-7d70-4112-be8d-6c60ac812883` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and - not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) -| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) -| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and file.name != process.name -/* paths normalization by removing random patterns */ -| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") -| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, file.name, process.name, file.hash.sha256 -/* total_count can be adjusted to higher or lower values depending on env */ -| where host_count == 1 and total_count <= 10 -| keep total_count, host_count, dll_folder, file.name, process.name, file.hash.sha256 -``` - -## Notes - -- Based on the returned results you can further investigate suspicious DLLs by sha256 and library path. -- Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading. -- Elastic Defned DLL Events include dll.Ext.relative_file_creation_time which help us limit the hunt to recently dropped DLLs. -## MITRE ATT&CK Techniques - -- [T1574](https://attack.mitre.org/techniques/T1574) -- [T1574.002](https://attack.mitre.org/techniques/T1574/002) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md b/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md new file mode 100644 index 00000000000..f00621d8408 --- /dev/null +++ b/hunting/windows/docs/detect_rare_lsass_process_access_attempts.md @@ -0,0 +1,52 @@ +# Rare LSASS Process Access Attempts + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS. + +- **UUID:** `3978e183-0b70-4e1c-8c40-24e367f6db5a` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.api* +| where @timestamp > NOW() - 7 day +| where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and + Target.process.name == "lsass.exe" +| keep process.executable.caseless, host.id + /* normalize process paths to reduce known random patterns in process.executable */ +| eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats occurences = count(process), agents = count_distinct(host.id) by process +| where agents == 1 and occurences <= 10 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where event.category == "process" and host.os.family == "windows" and event.action == "ProcessAccess" and + winlog.event_data.TargetImage in ("C:\\Windows\\system32\\lsass.exe", "c:\\Windows\\system32\\lsass.exe", "c:\\Windows\\System32\\lsass.exe") +| keep process.executable, host.id + /* normalize process paths to reduce known random patterns in process.executable */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path +| where agents == 1 and occurences <= 10 +``` + +## Notes + +- Based on the process.executable and process.name you can pivot and investigate further for the matching instances. +- Potential false-positives include rare legitimate conditions that may trigger this behavior due to third-party software or LSASS crashing. +## MITRE ATT&CK Techniques + +- [T1003](https://attack.mitre.org/techniques/T1003) +- [T1003.001](https://attack.mitre.org/techniques/T1003/001) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md b/hunting/windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md deleted file mode 100644 index eb78c28acb0..00000000000 --- a/hunting/windows/docs/detect_rare_lsass_process_access_attempts_elastic_defend.md +++ /dev/null @@ -1,37 +0,0 @@ -# Detect Rare LSASS Process Access Attempts - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `3978e183-0b70-4e1c-8c40-24e367f6db5a` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.api* -| where @timestamp > NOW() - 7 day -| where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and - Target.process.name == "lsass.exe" -| keep process.executable.caseless, host.id - /* normalize process paths to reduce known random patterns in process.executable */ -| eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats occurences = count(process), agents = count_distinct(host.id) by process -| where agents == 1 and occurences <= 10 -``` - -## Notes - -- Based on the process.executable and process.name you can pivot and investigate further the matching instances. -- Potential false positives include rare legit condition that may trigger this behavior due to third party software or Lsass crash. -## MITRE ATT&CK Techniques - -- [T1003](https://attack.mitre.org/techniques/T1003) -- [T1003.001](https://attack.mitre.org/techniques/T1003/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md b/hunting/windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md deleted file mode 100644 index 90a1d7097d0..00000000000 --- a/hunting/windows/docs/detect_rare_lsass_process_access_attempts_sysmon.md +++ /dev/null @@ -1,38 +0,0 @@ -# Detect Rare LSASS Process Access Attempts - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `3978e183-0b70-4e1c-8c40-24e367f6db5a` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where event.category == "process" and host.os.family == "windows" and event.action == "ProcessAccess" and - winlog.event_data.TargetImage in ("C:\\Windows\\system32\\lsass.exe", "c:\\Windows\\system32\\lsass.exe", "c:\\Windows\\System32\\lsass.exe") -| keep process.executable, host.id - /* normalize process paths to reduce known random patterns in process.executable */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path -| where agents == 1 and occurences <= 10 -``` - -## Notes - -- Based on the process.executable and process.name you can pivot and investigate further the matching instances. -- Potential false positives include rare legit condition that may trigger this behavior due to third party software or Lsass crash. -## MITRE ATT&CK Techniques - -- [T1003](https://attack.mitre.org/techniques/T1003) -- [T1003.001](https://attack.mitre.org/techniques/T1003/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md b/hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md similarity index 62% rename from hunting/windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md rename to hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md index 4f395303679..9ca5fde9043 100644 --- a/hunting/windows/docs/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.md +++ b/hunting/windows/docs/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md @@ -1,10 +1,12 @@ -# Doamin Names queries via Lolbins and with low occurence frequency +# DNS Queries via LOLBins with Low Occurence Frequency --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for DNS queries performed by commonly abused Microsoft binaries that perform remote file transfer or binary proxy execution. Aggregations for the number of occurrences is limited to one host to reduce the number of potentially legitimate hits. + - **UUID:** `ebf8eb13-c98a-4d2c-8bdb-3f72a3a3961b` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -13,9 +15,9 @@ ```sql from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and event.category == "network" and - event.action in ("lookup_requested", "DNSEvent (DNS query)") and - process.name in ("powershell.exe", "rundll32.exe", "certutil.exe", "curl.exe", "wget.exe", "CertReq.exe", "bitsadmin.exe", "mshta.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "regsvr32.exe", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe") and dns.question.name rlike """.+\.[a-z-A-Z]{2,3}""" +| where @timestamp > now() - 7 day and host.os.family == "windows" and event.category == "network" and + event.action in ("lookup_requested", "DNSEvent (DNS query)") and + process.name in ("powershell.exe", "rundll32.exe", "certutil.exe", "curl.exe", "wget.exe", "CertReq.exe", "bitsadmin.exe", "mshta.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "regsvr32.exe", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe") and dns.question.name rlike """.+\.[a-z-A-Z]{2,3}""" | keep process.name, dns.question.name, host.id | stats occurrences = count(*), hosts = count_distinct(host.id) by process.name, dns.question.name | where hosts == 1 @@ -23,8 +25,8 @@ from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* ## Notes -- Utilities like curl and SSL verification web-servvices are noisy, while others are rare like scripting utilities and are worth further investigation. -- Connection to legit domains like github, discord, telegram and many other legit web-services by lolbins is still suspicious and require further investigation. +- Utilities like curl and SSL verification for web services are noisy, while others are rare such as scripting utilities and are worth further investigation. +- Connection to legit domains like Github, Discord, Telegram and many other legit web services by LOLBins is still suspicious and require further investigation. ## MITRE ATT&CK Techniques - [T1071](https://attack.mitre.org/techniques/T1071) diff --git a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency.md b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency.md new file mode 100644 index 00000000000..8167a99d2a8 --- /dev/null +++ b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency.md @@ -0,0 +1,57 @@ +# Low Occurrence of Drivers Loaded on Unique Hosts + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt helps identify drivers loaded once on a unique host and with a unique hash over a 15 day period of time. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. + +- **UUID:** `99818ad6-c242-4da7-a41a-df64fe7314d6` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.library-* +| where @timestamp > now() - 15 day +| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900 +| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash +| where host_count == 1 and total_count == 1 and hash_count == 1 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > now() - 15 day +| where host.os.family == "windows" and event.category == "driver" +| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name +| where host_count == 1 and total_count == 1 and hash_count == 1 +``` + +```sql +from logs-system.system-* +| where @timestamp > now() - 15day +| where host.os.family == "windows" and event.code == "7045" and + winlog.event_data.ServiceType == "kernel mode driver" +| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +``` + +## Notes + +- This hunt has three optional queries, one for Elastic Defend data, another for Sysmon data and the last one for Windows 7045 events. +- Further investigation can be done pivoting by `dll.pe.imphash` or `dll.name.` +- `dll.Ext.relative_file_creation_time` is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend). +- Aggregation can also be done by `dll.hash.sha256` / `file.hash.sha256` but will return more results. +- Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.). +## MITRE ATT&CK Techniques + +- [T1068](https://attack.mitre.org/techniques/T1068) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md deleted file mode 100644 index 3ea91098b8e..00000000000 --- a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_elastic_defend.md +++ /dev/null @@ -1,34 +0,0 @@ -# Drivers Load with low occurrence frequency - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `99818ad6-c242-4da7-a41a-df64fe7314d6` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.library-* -| where @timestamp > now() - 15 day -| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900 -| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash -| where host_count == 1 and total_count == 1 and hash_count == 1 -``` - -## Notes - -- This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. -- dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend). -- aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results. -- Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.). -## MITRE ATT&CK Techniques - -- [T1068](https://attack.mitre.org/techniques/T1068) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md deleted file mode 100644 index 8fbd8a21b2c..00000000000 --- a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_sysmon.md +++ /dev/null @@ -1,34 +0,0 @@ -# Drivers Load with low occurrence frequency - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `6bb90aba-af6b-4128-a9b2-160e164a15ff` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > now() - 15 day -| where host.os.family == "windows" and event.category == "driver" -| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name -| where host_count == 1 and total_count == 1 and hash_count == 1 -``` - -## Notes - -- This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. -- dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend). -- aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results. -- Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.). -## MITRE ATT&CK Techniques - -- [T1068](https://attack.mitre.org/techniques/T1068) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md b/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md deleted file mode 100644 index 4dbfe25f8ad..00000000000 --- a/hunting/windows/docs/drivers_load_with_low_occurrence_frequency_windows_7045.md +++ /dev/null @@ -1,38 +0,0 @@ -# Drivers Load with low occurrence frequency - Windows 7045 - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `bc4848ce-5323-42b4-a559-3333c11ca938` -- **Integration:** [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-system.system-* -| where @timestamp > now() - 15day -| where host.os.family == "windows" and event.code == "7045" and - winlog.event_data.ServiceType == "kernel mode driver" -| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -``` - -## Notes - -- This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. -- dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend). -- aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results. -- Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.). -## MITRE ATT&CK Techniques - -- [T1068](https://attack.mitre.org/techniques/T1068) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md b/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md deleted file mode 100644 index e518b168b99..00000000000 --- a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.md +++ /dev/null @@ -1,37 +0,0 @@ -# Excessive RDP Network Activity by Source Host and User- Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `fe01a8a5-6367-4c4c-a57b-be513ab80e42` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and - network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 -| keep destination.ip, host.id, user.name -| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name - /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ -| where count_unique_dst >= 10 -``` - -## Notes - -- This hunt looks for high number of Remote Desktop connections from same host and user.name to more than a defined threshold of unique destination Ip addresses. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol. -- Further investigation can done pivoting by host.id and user name. -- Depending on normal SysAdmin RDP activity the 10 threshold can be adjusted to reduce normal noisy activity. -## MITRE ATT&CK Techniques - -- [T1021](https://attack.mitre.org/techniques/T1021) -- [T1021.001](https://attack.mitre.org/techniques/T1021/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md b/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md new file mode 100644 index 00000000000..8fb9f6ab98b --- /dev/null +++ b/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_and_user.md @@ -0,0 +1,48 @@ +# Excessive RDP Network Activity by Host and User + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt looks for a high occurrence of remote desktop connections from the same host and user. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol (RDP). + +- **UUID:** `fe01a8a5-6367-4c4c-a57b-be513ab80e42` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and + network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 +| keep destination.ip, host.id, user.name +| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name + /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ +| where count_unique_dst >= 10 +``` + +```sql +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and process.name == "svchost.exe" and network.direction == "ingress" and + network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 +| stats agents = count_distinct(host.id) by source.ip +| where agents >= 10 +``` + +## Notes + +- Further investigation can done pivoting by `host.id` and `user.name`. +- Depending on normal SysAdmin RDP activity, the threshold of 10 can be adjusted to reduce normal noisy activity. +- The second query uses Windows Security log event ID 4624 to summarize numbers of RDP connections by `source.ip` and `user.name` and duration. +## MITRE ATT&CK Techniques + +- [T1021](https://attack.mitre.org/techniques/T1021) +- [T1021.001](https://attack.mitre.org/techniques/T1021/001) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md b/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md deleted file mode 100644 index b44024fb79d..00000000000 --- a/hunting/windows/docs/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.md +++ /dev/null @@ -1,35 +0,0 @@ -# Excessive RDP Network Activity by Source Host - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `6ff3a518-3bf4-4e7d-9a66-2ef7aaa68cfc` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and process.name == "svchost.exe" and network.direction == "ingress" and - network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 -| stats agents = count_distinct(host.id) by source.ip -| where agents >= 10 -``` - -## Notes - -- This hunt looks for high number of Remote Desktop connections from same host and user.name to more than a defined threshold of unique destination Ip addresses. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol. -- Further investigation can done pivoting by host.id and user name. -- Depending on normal SysAdmin RDP activity the 10 threshold can be adjusted to reduce normal noisy activity. -## MITRE ATT&CK Techniques - -- [T1021](https://attack.mitre.org/techniques/T1021) -- [T1021.001](https://attack.mitre.org/techniques/T1021/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/excessive_smb_network_activity_by_process_id.md b/hunting/windows/docs/excessive_smb_network_activity_by_process_id.md index f02bee6dcf5..27b6f75bfb7 100644 --- a/hunting/windows/docs/excessive_smb_network_activity_by_process_id.md +++ b/hunting/windows/docs/excessive_smb_network_activity_by_process_id.md @@ -1,10 +1,12 @@ -# Excessive SMB Network Activity by process Id +# Excessive SMB Network Activity by Process ID --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for a high occurrence of SMB connections from the same process by unique destination IP addresses. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of SMB scanning or lateral movement via remote services that depend on the SMB protocol. + - **UUID:** `6949135b-76d7-47a3-ae95-ef482508fb7c` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -12,9 +14,9 @@ ## Query ```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "network" and network.direction == "egress" and +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "network" and network.direction == "egress" and network.transport == "tcp"and destination.port == 445 and source.port >= 49152 and process.pid == 4 | keep destination.ip, process.entity_id, host.id | stats count_unique_dst = count_distinct(destination.ip) by process.entity_id, host.id @@ -24,9 +26,8 @@ from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* ## Notes -- This hunt looks for high number of SMB connections from same process to more than a defined threshold of unique destination Ip addresses. This could be a sign of SMB scanning or some lateral movement via remote services that depend on SMB protocol. -- Further investigation can done pivoting by process.entity_id and host.id. -- Maximum number of unique destination.ip by process can be adjusted to your environment to reduce normal noisy hosts by Id. +- Further investigation can done pivoting by `process.entity_id` and `host.id.` +- Maximum number of unique `destination.ip` by process can be adjusted to your environment to reduce normal noisy hosts by process ID. ## MITRE ATT&CK Techniques - [T1021](https://attack.mitre.org/techniques/T1021) diff --git a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md new file mode 100644 index 00000000000..60e64eddaed --- /dev/null +++ b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary.md @@ -0,0 +1,51 @@ +# Executable File Creation by an Unusual Microsoft Binary + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies executable file creation by an unusual Microsoft native binary. This could be the result of +code injection or some other form of exploitation for defense evasion. + +- **UUID:** `3b2900fe-74d9-4c49-b3df-cbeceb02e841` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.file-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action == "creation" and + starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and + starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" +| keep process.executable, host.id +| stats occurences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurences <= 10 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and + file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" +| keep process.executable, host.id +| stats occurences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurences <= 10 +``` + +## Notes + +- This hunt includes two optional queries, one for Elastic Defend data and another for Sysmon data. +- Sysmon file events don't populate file header and process code signature information thus we use `file.extension`. +- Some exploits may result in the creation of an executable file by the exploited process. +- Further investigation can be done by pivoting on `process.executable` and filtering for executable file creation. +## MITRE ATT&CK Techniques + +- [T1211](https://attack.mitre.org/techniques/T1211) +- [T1055](https://attack.mitre.org/techniques/T1055) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md deleted file mode 100644 index 630befd5396..00000000000 --- a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.md +++ /dev/null @@ -1,37 +0,0 @@ -# Executable File creation by an Unusual Microsoft Binary - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `3b2900fe-74d9-4c49-b3df-cbeceb02e841` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.file-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action == "creation" and - starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and - starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" -| keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 -``` - -## Notes - -- Sysmon file event don't populate file header and process code signature information thus the use of file.extension. -- Some exploits may result in the creation of an executable file by the exploited process. -- Further investigation can be done pivoting by process.executable and filter for executable file creation. -## MITRE ATT&CK Techniques - -- [T1211](https://attack.mitre.org/techniques/T1211) -- [T1055](https://attack.mitre.org/techniques/T1055) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md b/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md deleted file mode 100644 index 2a0ef394a9b..00000000000 --- a/hunting/windows/docs/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.md +++ /dev/null @@ -1,36 +0,0 @@ -# Executable File creation by an Unusual Microsoft Binary - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `36c94354-9d6e-4dc5-b2aa-a7cf578a4169` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and - file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" -| keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 -``` - -## Notes - -- Sysmon file event don't populate file header and process code signature information thus the use of file.extension. -- Some exploits may result in the creation of an executable file by the exploited process. -- Further investigation can be done pivoting by process.executable and filter for executable file creation. -## MITRE ATT&CK Techniques - -- [T1211](https://attack.mitre.org/techniques/T1211) -- [T1055](https://attack.mitre.org/techniques/T1055) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency.md b/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency.md deleted file mode 100644 index 0626e574e55..00000000000 --- a/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency.md +++ /dev/null @@ -1,36 +0,0 @@ -# Execution via Network Logon by occurrence frequency - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `fd3f9982-fd8c-4f0f-bbe6-e589752c34db` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and - /* network logon type and the execution is within 30 seconds of the logon time */ - process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 -| stats total = count(*), hosts = count_distinct(host.id) by process.hash.sha256, process.Ext.session_info.client_address, user.name, process.parent.name - /* unique hash limited to one host and number of execution is 1 */ -| where hosts == 1 and total == 1 -``` - -## Notes - -- process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above. -- Execution via legit Microsoft processes like powershell and cmd need to further investigated via aggregation by process.command_line. -- Aggregation can be also done by process.executable, normalizing process path by removing random patterns using the REPLACE function via regex. -## MITRE ATT&CK Techniques - -- [T1021](https://attack.mitre.org/techniques/T1021) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md b/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md index fc27d3f52ea..818f73aea8d 100644 --- a/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md +++ b/hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md @@ -1,10 +1,12 @@ -# Execution via Network Logon by occurrence frequency by top Source IP +# Frequency of Process Execution via Network Logon by Source Address --- ## Metadata - **Author:** Elastic +- **Description:** This hunt aggregates process execution and remote network logons by source address, account name and process hash. It then limits the results by unique host within a 7 day period. This may indicate lateral movement via remote services. + - **UUID:** `ae07c580-290e-4421-add8-d6ca30509b6a` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,8 +15,8 @@ ```sql from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and /* network logon type and the execution is within 30 seconds of the logon time */ process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 | stats total = count(*) by process.Ext.session_info.client_address, user.name @@ -22,11 +24,23 @@ from logs-endpoint.events.process-* | sort total desc ``` +```sql +from logs-endpoint.events.process-* +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and + /* network logon type and the execution is within 30 seconds of the logon time */ + process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 +| stats total = count(*), hosts = count_distinct(host.id) by process.hash.sha256, process.Ext.session_info.client_address, user.name, process.parent.name + /* unique hash limited to one host and number of execution is 1 */ +| where hosts == 1 and total == 1 +``` + ## Notes -- process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above. -- Execution via legit Microsoft processes like powershell and cmd need to further investigated via aggregation by process.command_line. -- Aggregation can be also done by process.executable, normalizing process path by removing random patterns using the REPLACE function via regex. +- The second query highest occurrence of source addresses/accounts performing remote process execution +- `process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+ and above. +- Execution via legitimate Microsoft processes for PowerShell and cmd need to be further investigated via aggregation by `process.command_line`. +- Aggregation can be also done by `process.executable`, normalizing process path by removing random patterns using the ES|QL REPLACE function. ## MITRE ATT&CK Techniques - [T1021](https://attack.mitre.org/techniques/T1021) diff --git a/hunting/windows/docs/execution_via_remote_services_by_client_address.md b/hunting/windows/docs/execution_via_remote_services_by_client_address.md index 91f0d2c55e9..94dc4e1dd54 100644 --- a/hunting/windows/docs/execution_via_remote_services_by_client_address.md +++ b/hunting/windows/docs/execution_via_remote_services_by_client_address.md @@ -5,6 +5,8 @@ ## Metadata - **Author:** Elastic +- **Description:** This hunt aggregates process execution via remote network logon by source address, account name and where the parent process is related to remote services such as WMI, WinRM, DCOM and remote PowerShell. This may indicate lateral movement via remote services. + - **UUID:** `e6e54717-2676-4785-a4a6-503577bfb0ea` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,10 +15,10 @@ ```sql from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and /* network logon type */ - process.Ext.session_info.logon_type == "Network" and + process.Ext.session_info.logon_type == "Network" and (process.parent.name .caseless in ("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") or (process.parent.name == "svchost.exe" and process.parent.args == "DcomLaunch")) | stats total = count(*), hosts = count_distinct(host.id) by process.Ext.session_info.client_address, user.name, process.parent.name /* sort by top source.ip and account */ @@ -25,7 +27,7 @@ from logs-endpoint.events.process-* ## Notes -- process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above. +- `process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+. ## MITRE ATT&CK Techniques - [T1021](https://attack.mitre.org/techniques/T1021) diff --git a/hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md b/hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md index 6b2c4a68d07..845b308f98f 100644 --- a/hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/execution_via_startup_with_low_occurrence_frequency.md @@ -1,10 +1,12 @@ -# Execution via Startup with low occurrence frequency +# Startup Execution with Low Occurrence Frequency by Unique Host --- ## Metadata - **Author:** Elastic +- **Description:** This hunt identifies programs started shortly after user logon and presence limited to a unique host. Run registry key and Startup folder cause programs to run each time that a user logs on and are often abused by malwares to maintain persistence on an endpoint. + - **UUID:** `a447df80-d3d5-48b3-a175-a864264ec487` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,10 +15,10 @@ ```sql from logs-endpoint.events.process-* -| where host.os.family == "windows" and event.category == "process" and event.action == "start" and +| where host.os.family == "windows" and event.category == "process" and event.action == "start" and /* programs started shortly after user logon like startup items */ - process.parent.executable.caseless == "c:\\windows\\explorer.exe" and process.Ext.session_info.relative_logon_time <= 100 and - not starts_with(process.executable, "C:\\Program Files") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\FileRepository\\") and + process.parent.executable.caseless == "c:\\windows\\explorer.exe" and process.Ext.session_info.relative_logon_time <= 100 and + not starts_with(process.executable, "C:\\Program Files") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\FileRepository\\") and /* this hunt is scoped to unsigned or untrusted code-sig or Microsoft signed binaries to not miss lolbins */ (process.code_signature.exists == false or process.code_signature.trusted == false or starts_with(process.code_signature.subject_name, "Microsoft")) | keep process.executable, host.id, process.hash.sha256 @@ -28,8 +30,8 @@ from logs-endpoint.events.process-* ## Notes -- Items set to persist via Startup like Run key and Startup folder will be executed by Explorer.exe shortly after user logon (process.Ext.session_info.relative_logon_time help us to capture that time difference). -- Pay close attention to unknown hashes, suspicious paths and lolbins. +- Items set to persist via Startup such as Run keys and Startup folder will be executed by `Explorer.exe` shortly after user logon (`process.Ext.session_info.relative_logon_time` helps us to capture that time difference). +- Special attention to unknown hashes, suspicious paths and LOLBins should be given. ## MITRE ATT&CK Techniques - [T1547](https://attack.mitre.org/techniques/T1547) diff --git a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md new file mode 100644 index 00000000000..7df963b1f81 --- /dev/null +++ b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md @@ -0,0 +1,58 @@ +# Low Frequency of Process Execution via WMI by Unique Agent + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt looks for unique process execution via Windows Management Instrumentation (WMI) by removing random patterns from `process.command_line` and aggregating execution by count of agents with the same command line to limit results to unique ones. + +- **UUID:** `b5efeb92-9b51-45b9-839f-be4cdc054ef4` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + to_lower(process.parent.name) == "wmiprvse.exe" and starts_with(process.code_signature.subject_name, "Microsoft") +| keep process.hash.sha256, host.id, process.name +| stats agents = count_distinct(host.id) by process.name +| where agents == 1 +``` + +```sql +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and + event.action in ("start", "Process creation", "created-process") and + process.parent.name.caseless == "wmiprvse.exe" +| keep process.command_line, host.id +| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats agents = count_distinct(host.id) by cmdline +| where agents == 1 +``` + +```sql +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name.caseless == "wmiprvse.exe" and (process.code_signature.exists == false or process.code_signature.trusted == false) +| keep process.hash.sha256, host.id, process.name +| stats agents = count_distinct(host.id) by process.hash.sha256 +| where agents == 1 +``` + +## Notes + +- This hunt contains three queries for Elastic Defend, Sysmon, and Windows Security event 4688. +## MITRE ATT&CK Techniques + +- [T1047](https://attack.mitre.org/techniques/T1047) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md deleted file mode 100644 index 5244065f615..00000000000 --- a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.md +++ /dev/null @@ -1,34 +0,0 @@ -# Execution via Windows Management Instrumentation by occurrence frequency by Unique Agent - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `b5efeb92-9b51-45b9-839f-be4cdc054ef4` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name.caseless == "wmiprvse.exe" and starts_with(process.code_signature.subject_name, "Microsoft") -| keep process.hash.sha256, host.id, process.name -| stats agents = count_distinct(host.id) by process.name -| where agents == 1 -``` - -## Notes - -- This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones. -- This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688. -## MITRE ATT&CK Techniques - -- [T1047](https://attack.mitre.org/techniques/T1047) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md deleted file mode 100644 index 740578c5fcb..00000000000 --- a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.md +++ /dev/null @@ -1,34 +0,0 @@ -# Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `958a9027-2c6f-4eb0-a9ca-d1116a3bec76` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name.caseless == "wmiprvse.exe" and (process.code_signature.exists == false or process.code_signature.trusted == false) -| keep process.hash.sha256, host.id, process.name -| stats agents = count_distinct(host.id) by process.hash.sha256 -| where agents == 1 -``` - -## Notes - -- This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones. -- This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688. -## MITRE ATT&CK Techniques - -- [T1047](https://attack.mitre.org/techniques/T1047) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md b/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md deleted file mode 100644 index 60167350755..00000000000 --- a/hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.md +++ /dev/null @@ -1,37 +0,0 @@ -# Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - Windows Security - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `793d5655-d7d9-422a-ba9d-1fa75029265e` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and - event.action in ("start", "Process creation", "created-process") and - process.parent.name.caseless == "wmiprvse.exe" -| keep process.command_line, host.id -| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats agents = count_distinct(host.id) by cmdline -| where agents == 1 -``` - -## Notes - -- This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones. -- This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688. -## MITRE ATT&CK Techniques - -- [T1047](https://attack.mitre.org/techniques/T1047) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md b/hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md index 04a951fb142..88d56835902 100644 --- a/hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/execution_via_windows_scheduled_task_with_low_occurrence_frequency.md @@ -1,10 +1,12 @@ -# Execution via Windows Scheduled Task with low occurrence frequency +# Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent --- ## Metadata - **Author:** Elastic +- **Description:** Aggregating by paths/hash, this hunt identifies rare instances where a program executes as a child process of the Tasks Scheduler service. This could be the result of persistence as a Windows Scheduled Task. + - **UUID:** `96d5afc8-1f25-4265-8a0e-9998091a2e1f` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -13,9 +15,9 @@ ```sql from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and - event.action in ("start", "Process creation") and process.code_signature.trusted != true and +| where @timestamp > now(-) - 7 day +| where host.os.family == "windows" and event.category == "process" and + event.action in ("start", "Process creation") and process.code_signature.trusted != true and /* child process of the Tasks Schedule service */ process.parent.name == "svchost.exe" and ends_with(process.parent.command_line, "Schedule") | stats hosts = count_distinct(host.id) by process.hash.sha256, process.name @@ -25,8 +27,8 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* ## Notes -- Windows security event 4688 lacks process.parent.command_line needed for this hunt to identify the Schedule svchost instance. -- Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation. +- Windows security event 4688 lacks `process.parent.command_line` needed for this hunt to identify the Schedule `svchost` instance. +- Unique `process.hash.sha256` and agent is not necessarily malicious, however this helps surface signals worth further investigation. ## MITRE ATT&CK Techniques - [T1053](https://attack.mitre.org/techniques/T1053) diff --git a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md b/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md new file mode 100644 index 00000000000..37878a0a063 --- /dev/null +++ b/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency.md @@ -0,0 +1,51 @@ +# Low Occurence of Process Execution via Windows Services with Unique Agent + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt looks for a low occurrence of process execution via the Windows Services Control Manager by unique agent. The Services Control Manager is responsible for starting, stopping, and interacting with system services. This could be a sign of persistence as a Windows service. + +- **UUID:** `858b7022-b587-4b95-afd6-8ce597bedce3` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name == "services.exe" and process.code_signature.trusted != true +| stats hosts = count_distinct(host.id) by process.hash.sha256, process.name + /* unique hash observed in one unique agent */ +| where hosts == 1 +``` + +```sql +from logs-system.security-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.code == "4688" and + event.action == "created-process" and process.parent.name == "services.exe" +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| stats hosts = count_distinct(host.id) by process_path + /* unique path observed in one unique agent */ +| where hosts == 1 +``` + +## Notes + +- This hunt contains two queries for Elastic Defend and Windows Security event 4688. +- Windows security event 4688 lacks code signature and hash information, hence the use of `process.executable` for aggregation. +- Unique `process.hash.sha256` and agent is not necessarily malicious, this help surface ones worth further investigation. +- Suspicious `process.executable` paths and LOLBins should be reviewed further. +## MITRE ATT&CK Techniques + +- [T1543](https://attack.mitre.org/techniques/T1543) +- [T1543.003](https://attack.mitre.org/techniques/T1543/003) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md b/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md deleted file mode 100644 index 9f0bda9cd57..00000000000 --- a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.md +++ /dev/null @@ -1,36 +0,0 @@ -# Execution via Windows Services with low occurrence frequency - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `858b7022-b587-4b95-afd6-8ce597bedce3` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name == "services.exe" and process.code_signature.trusted != true -| stats hosts = count_distinct(host.id) by process.hash.sha256, process.name - /* unique hash observed in one unique agent */ -| where hosts == 1 -``` - -## Notes - -- Windows security event 4688 lacks code signature and hash information, hence the use of process.executable for aggregation. -- Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation. -- Suspicious process.executable paths and lolbins should be reviewed further. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md b/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md deleted file mode 100644 index 0fd0f5425d8..00000000000 --- a/hunting/windows/docs/execution_via_windows_services_with_low_occurrence_frequency_windows_security.md +++ /dev/null @@ -1,38 +0,0 @@ -# Execution via Windows Services with low occurrence frequency - Windows Security - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `5fdc9f73-c6a4-4ea4-8e16-347ed675e236` -- **Integration:** [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-system.security-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.code == "4688" and - event.action == "created-process" and process.parent.name == "services.exe" -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats hosts = count_distinct(host.id) by process_path - /* unique path observed in one unique agent */ -| where hosts == 1 -``` - -## Notes - -- Windows security event 4688 lacks code signature and hash information, hence the use of process.executable for aggregation. -- Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation. -- Suspicious process.executable paths and lolbins should be reviewed further. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process.md b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process.md new file mode 100644 index 00000000000..ed98002ee6d --- /dev/null +++ b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process.md @@ -0,0 +1,77 @@ +# High Count of Network Connection Over Extended Period by Process + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies browser or svchost instances performing a considerable number of connections per hour over an extended period of hours to a specific destination address, limited to a unique host of the monitored agents. Browsers and svchost are both good targets for masquerading network traffic on the endpoint. + +- **UUID:** `ed254a22-e7bb-4a36-9291-196b77762dd8` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and process.name in ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "svchost.exe") and + /* excluding DNS */ + destination.port != 53 and + /* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp, host.id + /* calc total duration and the number of connections per hour */ +| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp), hosts= count_distinct(host.id), count_unique_pids = count_distinct(process.entity_id) by destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.name, duration_hours, destination.address, hosts, count_unique_pids, count_connections, number_of_con_per_hour + /* threshold is set to 120 connections per minute during 4 hours and limited to 1 agent and 1 pid, you can adjust this values to your hunting needs */ +| where number_of_con_per_hour >= 120 and duration_hours >= 4 and hosts == 1 and count_unique_pids == 1 +``` + +```sql +from logs-endpoint.events.network-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and +(process.code_signature.exists == false or process.code_signature.trusted != true or starts_with(process.executable, "C:\\Users\\Public\\")) and + /* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp + /* calc total duration , total MB out and the number of connections per hour */ +| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour + /* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ +| where duration_hours >= 1 and number_of_con_per_hour >= 120 +``` + +```sql +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and (process.executable like "C:\\\\Windows\\\\System32*" or process.executable like "C:\\\\Windows\\\\SysWOW64\\\\*") and not user.id in ("S-1-5-19", "S-1-5-20") and +/* multiple Windows svchost services perform long term connection to MS ASN, can be covered in a dedicated hunt */ +not (process.name == "svchost.exe" and user.id == "S-1-5-18") and +/* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp + /* calc total duration , total MB out and the number of connections per hour */ +| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour +/* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ +| where duration_hours >= 1 and number_of_con_per_hour >= 120 +``` + +## Notes + +- This hunt includes three queries for Elastic Defend and Sysmon data sources. +## MITRE ATT&CK Techniques + +- [T1071](https://attack.mitre.org/techniques/T1071) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md deleted file mode 100644 index 537f6322638..00000000000 --- a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.md +++ /dev/null @@ -1,40 +0,0 @@ -# High count of network connection over extended period by process - Elastic Defend Network - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `76843f1f-404d-42b8-9c25-fcc14e270240` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and -(process.code_signature.exists == false or process.code_signature.trusted != true or starts_with(process.executable, "C:\\Users\\Public\\")) and - /* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp - /* calc total duration , total MB out and the number of connections per hour */ -| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour - /* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ -| where duration_hours >= 1 and number_of_con_per_hour >= 120 -``` - -## Notes - -- This hunt aggregate by process Id and destination ip the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process. Scoped for unsigned processes or ones running from suspicious paths, the Sysmon network events don't include process code signature information -## MITRE ATT&CK Techniques - -- [T1071](https://attack.mitre.org/techniques/T1071) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md deleted file mode 100644 index 4bf9f5d39ed..00000000000 --- a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.md +++ /dev/null @@ -1,40 +0,0 @@ -# High count of network connection over extended period by process - Elastic Defend Network - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `ed254a22-e7bb-4a36-9291-196b77762dd8` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and process.name in ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "svchost.exe") and - /* excluding DNS */ - destination.port != 53 and - /* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp, host.id - /* calc total duration and the number of connections per hour */ -| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp), hosts= count_distinct(host.id), count_unique_pids = count_distinct(process.entity_id) by destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.name, duration_hours, destination.address, hosts, count_unique_pids, count_connections, number_of_con_per_hour - /* threshold is set to 120 connections per minute during 4 hours and limited to 1 agent and 1 pid, you can adjust this values to your hunting needs */ -| where number_of_con_per_hour >= 120 and duration_hours >= 4 and hosts == 1 and count_unique_pids == 1 -``` - -## Notes - -- This hunt identify browser or svchost instances performing a considerable number of connections per hour over an extended period of hours to a specific destination address and this is limited to a unique host of the monitored agents. Browsers and svchost are both good targets for masquerading network traffic on the endpoint. -## MITRE ATT&CK Techniques - -- [T1071](https://attack.mitre.org/techniques/T1071) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md b/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md deleted file mode 100644 index 823e4121932..00000000000 --- a/hunting/windows/docs/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.md +++ /dev/null @@ -1,41 +0,0 @@ -# High count of network connection over extended period by process - Elastic Defend - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `7ee9a5a7-3ce1-47eb-b15a-1b148299fcf0` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and (process.executable like "C:\\\\Windows\\\\System32*" or process.executable like "C:\\\\Windows\\\\SysWOW64\\\\*") and not user.id in ("S-1-5-19", "S-1-5-20") and -/* multiple Windows svchost services perform long term connection to MS ASN, can be covered in a dedicated hunt */ -not (process.name == "svchost.exe" and user.id == "S-1-5-18") and -/* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp - /* calc total duration , total MB out and the number of connections per hour */ -| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour -/* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ -| where duration_hours >= 1 and number_of_con_per_hour >= 120 -``` - -## Notes - -- This hunt aggregate by process Id and destination ip the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process. -## MITRE ATT&CK Techniques - -- [T1071](https://attack.mitre.org/techniques/T1071) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md b/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md new file mode 100644 index 00000000000..db39a5dfe9c --- /dev/null +++ b/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency.md @@ -0,0 +1,60 @@ +# Libraries Loaded by svchost with Low Occurrence Frequency + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt returns the SHA256 hash and the `dll.path` of unsigned libraries loaded by svchost where the presence of unique path/hash is limited to a unique host. Adversaries may use Windows service DLLs to maintain persistence or run with System privileges. + +- **UUID:** `e37fe0b9-1b70-4800-8989-58bac5a0a9bb` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "library" and event.action == "load" and + process.name == "svchost.exe" and (dll.code_signature.trusted == false or dll.code_signature.exists == false) and dll.hash.sha256 like "?*" and + (dll.Ext.relative_file_creation_time <= 900 or dll.Ext.relative_file_name_modify_time <= 900) +| keep dll.name, dll.path, dll.hash.sha256, host.id +| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) + /* paths normalization by removing random patterns */ +| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") +| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") +| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, dll.name, dll.hash.sha256 +| where hosts == 1 and count_dlls_per_folder == 1 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and + process.name == "svchost.exe" and file.code_signature.status != "Valid" and file.hash.sha256 like "?*" +| keep file.name, file.path, file.hash.sha256, host.id +| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) +/* paths normalization by removing random patterns */ +| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") +| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") +| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, file.name, file.hash.sha256 +| where hosts == 1 and count_dlls_per_folder == 1 +``` + +## Notes + +- This hunt includes two queries to cover both Sysmon and Elastic Defend data sources. +- The hunt uses Elastic Defend library events for an extra optional condition `dll.Ext.relative_file_creation_time` to scope if for recently dropped DLLs. +- The `count_dlls_per_folder` variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir). +- Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like `%programfiles%` and `system32/syswow64`. +## MITRE ATT&CK Techniques + +- [T1543](https://attack.mitre.org/techniques/T1543) +- [T1543.003](https://attack.mitre.org/techniques/T1543/003) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md b/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md deleted file mode 100644 index ddadc0d6540..00000000000 --- a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.md +++ /dev/null @@ -1,42 +0,0 @@ -# Libraries loaded by svchost with low occurrence frequency - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `e37fe0b9-1b70-4800-8989-58bac5a0a9bb` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "library" and event.action == "load" and - process.name == "svchost.exe" and (dll.code_signature.trusted == false or dll.code_signature.exists == false) and dll.hash.sha256 like "?*" and - (dll.Ext.relative_file_creation_time <= 900 or dll.Ext.relative_file_name_modify_time <= 900) -| keep dll.name, dll.path, dll.hash.sha256, host.id -| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) - /* paths normalization by removing random patterns */ -| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") -| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") -| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, dll.name, dll.hash.sha256 -| where hosts == 1 and count_dlls_per_folder == 1 -``` - -## Notes - -- The hunt using Elastic Defend library events uses an extra optional condition dll.Ext.relative_file_creation_time to scope if for recently dropped DLLs. -- The count_dlls_per_folder variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir). -- Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like %programfiles% and system32/syswow64. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md b/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md deleted file mode 100644 index cb61f28d407..00000000000 --- a/hunting/windows/docs/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.md +++ /dev/null @@ -1,41 +0,0 @@ -# Libraries loaded by svchost with low occurrence frequency - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `1ae6bfd7-34ce-4d7b-b956-f12d3797ac68` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and - process.name == "svchost.exe" and file.code_signature.status != "Valid" and file.hash.sha256 like "?*" -| keep file.name, file.path, file.hash.sha256, host.id -| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) -/* paths normalization by removing random patterns */ -| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") -| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") -| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, file.name, file.hash.sha256 -| where hosts == 1 and count_dlls_per_folder == 1 -``` - -## Notes - -- The hunt using Elastic Defend library events uses an extra optional condition dll.Ext.relative_file_creation_time to scope if for recently dropped DLLs. -- The count_dlls_per_folder variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir). -- Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like %programfiles% and system32/syswow64. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md b/hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md index 362d216fb9c..16074a0d3cd 100644 --- a/hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md @@ -1,10 +1,12 @@ -# Microsoft Office Child Processes with low occurrence frequency +# Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for Microsoft Office child processes with low occurrence frequency. This could be a normal rare behavior as well as potential execution via a malicious document. Adversaries may use Microsoft Office applications to execute malicious code, such as macros, scripts, or other payloads. + - **UUID:** `74b2e54b-7002-4201-83d6-7fd9bd5dcf0f` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -13,18 +15,18 @@ ```sql from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* -| where host.os.family == "windows" and @timestamp > NOW() - 15 day and - event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.parent.name.caseless in ("winword.exe", "excel.exe", "powerpnt.exe") and not starts_with(process.executable, "C:\\Program Files") +| where host.os.family == "windows" and @timestamp > NOW() - 15 day and + event.category == "process" and event.action in ("start", "Process creation", "created-process") and + to_lower(process.parent.name) in ("winword.exe", "excel.exe", "powerpnt.exe") and not starts_with(process.executable, "C:\\Program Files") // normalize user home profile paths -| eval process_path = replace(process.executable.caseless, """[c]:\\[u][s][e][r][s]\\[a-zA-Z0-9\.\-\_\$]+\\""", "c:\\\\users\\\\user\\\\") -| stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name +| eval process_path = replace(to_lower(process.executable), """[c]:\\[u][s][e][r][s]\\[a-zA-Z0-9\.\-\_\$]+\\""", "c:\\\\users\\\\user\\\\") +| stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name | where occurrences == 1 and agents == 1 ``` ## Notes -- Certain processes like WerFault.exe, dw20.exe and dwwin.exe are often related to application crash. +- Certain processes like `WerFault.exe`, `dw20.exe` and `dwwin.exe` are often related to application crash. - Closer attention should be attributed to lolbins and unsigned executables (Windows 4688 is not capturing process code signature information). ## MITRE ATT&CK Techniques diff --git a/hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md b/hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md index 4525f0e7a14..0fc9f746203 100644 --- a/hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md +++ b/hunting/windows/docs/network_discovery_via_sensitive_ports_by_unusual_process.md @@ -1,10 +1,12 @@ -# Network Discovery via sensitive ports by unusual process +# Network Discovery via Sensitive Ports by Unusual Process --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for either processes connecting to multiple sensitive TCP ports (SMB, RDP, LDAP, Kerberos and ADWS), a high number of SMB/RDP connections to unique destinations or the same process connecting to both RDP and SMB (should be rare). + - **UUID:** `e0acab7d-30bd-4be0-9682-5c3457bbeb4f` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -12,10 +14,10 @@ ## Query ```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and - network.transport == "tcp"and destination.port in (3389, 445, 389, 9389, 88, 5985, 5986, 22) and source.port >= 49152 and +| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and + network.transport == "tcp"and destination.port in (3389, 445, 389, 9389, 88, 5985, 5986, 22) and source.port >= 49152 and process.pid != 4 | keep process.executable, destination.port, destination.ip, process.entity_id /* network events with SMB or RDP as a target */ diff --git a/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md b/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md index 6abb434239c..7652222b096 100644 --- a/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md +++ b/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_agent.md @@ -1,10 +1,12 @@ -# PE File Transfer via SMB_Admin Shares by Agent +# PE File Transfer via SMB_Admin Shares by Agent or User --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for a high number of executable file transfers via the SMB protocol by the same user or agent to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. + - **UUID:** `3e66fc1a-2ea0-43a6-ba51-0280c693d152` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,17 +15,26 @@ ```sql from logs-endpoint.events.file-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and - starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and + starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) | stats agents = count_distinct(host.id), total = count(*) by user.name | where agents == 1 and total <= 3 ``` +```sql +from logs-endpoint.events.file-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and + starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) +| stats agents = count_distinct(host.id), total = count(*) by user.name + /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ +| where agents >= 10 +``` + ## Notes -- This hunt looks for high number of executable file transfer via the SMB protocol by the same user.name to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. -- Further investigation can done pivoting by host.id and user name. +- Further investigation can done pivoting by `host.id` and `user.name`. ## MITRE ATT&CK Techniques - [T1021](https://attack.mitre.org/techniques/T1021) diff --git a/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md b/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md deleted file mode 100644 index 0721eb43ebc..00000000000 --- a/hunting/windows/docs/pe_file_transfer_via_smb_admin_shares_by_user.md +++ /dev/null @@ -1,35 +0,0 @@ -# PE File Transfer via SMB_Admin Shares by User - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `ef9def35-0671-4599-8a18-5a1b833ef4c4` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.file-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and - starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) -| stats agents = count_distinct(host.id), total = count(*) by user.name - /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ -| where agents >= 10 -``` - -## Notes - -- This hunt looks for high number of executable file transfer via the SMB protocol by the same user.name to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. -- PE File Transfer via SMB/Admin Shares by User -## MITRE ATT&CK Techniques - -- [T1021](https://attack.mitre.org/techniques/T1021) -- [T1021.002](https://attack.mitre.org/techniques/T1021/002) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md b/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md new file mode 100644 index 00000000000..3131f94a0a0 --- /dev/null +++ b/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency.md @@ -0,0 +1,57 @@ +# Persistence via Run Key with Low Occurrence Frequency + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** Leveraging frequency based analysis and random values normalization, this hunt identifies instances where a program adds a persistence entry with rare values or are imited to unique hosts. Run registry key cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint. + +- **UUID:** `1078e906-0485-482e-bcf3-7ee939e07020` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.registry-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action == "modification" and + (process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft")) and + ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" +| keep registry.key, registry.data.strings, process.name, host.id + /* Paths normalization in registry.data.strings to ease aggregation */ +| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data +| where hosts == 1 and cc == 1 +``` + +```sql +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action == "RegistryEvent (Value Set)" and + ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" +| keep registry.key, registry.data.strings, process.name, host.id + /* Paths normalization in registry.data.strings to ease aggregation */ +| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data +| where hosts == 1 and cc == 1 +``` + +## Notes + +- This hunt includes two queries to cover both Sysmon and Elastic Defend data sources. +- Sysmon registry events do not populate process code signature information (hence the separation of the queries). +- Suspicious paths and LOLBins in the `registry.data.strings` value should be reviewed further. +## MITRE ATT&CK Techniques + +- [T1547](https://attack.mitre.org/techniques/T1547) +- [T1547.001](https://attack.mitre.org/techniques/T1547/001) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md b/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md deleted file mode 100644 index 4d900190b5d..00000000000 --- a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.md +++ /dev/null @@ -1,40 +0,0 @@ -# Persistence via Run Key with low occurrence frequency - Elastic Defend - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `1078e906-0485-482e-bcf3-7ee939e07020` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.registry-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action == "modification" and - (process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft")) and - ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" -| keep registry.key, registry.data.strings, process.name, host.id - /* Paths normalization in registry.data.strings to ease aggregation */ -| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data -| where hosts == 1 and cc == 1 -``` - -## Notes - -- Sysmon registry event don't populate process code signature information (hence the separation of the queries). -- Suspicious paths and lolbins in the registry.data.strings value should be reviewed further. -## MITRE ATT&CK Techniques - -- [T1547](https://attack.mitre.org/techniques/T1547) -- [T1547.001](https://attack.mitre.org/techniques/T1547/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md b/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md deleted file mode 100644 index 3f59ef9ac20..00000000000 --- a/hunting/windows/docs/persistence_via_run_key_with_low_occurrence_frequency_sysmon.md +++ /dev/null @@ -1,39 +0,0 @@ -# Persistence via Run Key with low occurrence frequency - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `cb2d8acc-123a-4578-bd33-7004c2be9843` -- **Integration:** [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action == "RegistryEvent (Value Set)" and - ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" -| keep registry.key, registry.data.strings, process.name, host.id - /* Paths normalization in registry.data.strings to ease aggregation */ -| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data -| where hosts == 1 and cc == 1 -``` - -## Notes - -- Sysmon registry event don't populate process code signature information (hence the separation of the queries). -- Suspicious paths and lolbins in the registry.data.strings value should be reviewed further. -## MITRE ATT&CK Techniques - -- [T1547](https://attack.mitre.org/techniques/T1547) -- [T1547.001](https://attack.mitre.org/techniques/T1547/001) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md b/hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md index 31d4d40ce4c..962e473921f 100644 --- a/hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/persistence_via_startup_with_low_occurrence_frequency.md @@ -1,10 +1,11 @@ -# Persistence via Startup with low occurrence frequency +# Persistence via Startup with Low Occurrence Frequency by Unique Host --- ## Metadata - **Author:** Elastic +- **Description:** Leveraging frequency based analysis and path normalization, this hunt identifies rare instances where a program adds a Startup persistence via file creation. Startup entries cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint. - **UUID:** `9d8c79fd-0006-4988-8aaa-d5f9b9a7df8e` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -14,7 +15,7 @@ ```sql from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and +| where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and file.path rlike """(C:\\Users\\.+\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.+*|C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\.+)""" | keep process.executable, host.id, file.name /* Paths normalization in registry.data.strings to ease aggregation */ @@ -26,9 +27,9 @@ from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-* ## Notes -- Elastic Defend file event captures the process.code_signature information, this can be added to the hunt to limit to unsigned and Microsoft signed programs. -- Unique file.name and limited to 1 agent is not necessarily malicious, this help surface ones worth further investigation. -- Suspicious process.executable paths and lolbins should be reviewed further. +- Elastic Defend file event captures the `process.code_signature` information, this can be added to the hunt to limit to unsigned and Microsoft signed programs. +- Unique `file.name` and limited to one agent is not necessarily malicious, however helps surface ones worth further investigation. +- Suspicious `process.executable` paths and LOLBins should be reviewed further. ## MITRE ATT&CK Techniques - [T1547](https://attack.mitre.org/techniques/T1547) diff --git a/hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md b/hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md index 2a9cc267e44..51661b8cfb1 100644 --- a/hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md +++ b/hunting/windows/docs/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md @@ -1,10 +1,12 @@ -# Persistence via Suspicious Launch Agent or Launch Daemon with low occurrence +# Low Occurrence of Suspicious Launch Agent or Launch Daemon --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host. + - **UUID:** `a7dcd1a1-2860-491e-8802-31169a607167` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -14,7 +16,7 @@ ```sql from logs-endpoint.events.file-* | where @timestamp > now() - 7 day -| where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and +| where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and (Persistence.runatload == true or Persistence.keepalive == true) and process.executable is not null | eval args = MV_CONCAT(Persistence.args, ",") /* normalizing users home profile */ @@ -25,8 +27,7 @@ from logs-endpoint.events.file-* ## Notes -- This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host. -- Further investigation can done pivoting by Persistence.name and args. +- Further investigation can done pivoting by `Persistence.name` and `args`. ## MITRE ATT&CK Techniques - [T1547](https://attack.mitre.org/techniques/T1547) diff --git a/hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md b/hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md index 6bebfef6981..ea5970208be 100644 --- a/hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md +++ b/hunting/windows/docs/potential_exfiltration_by_process_total_egress_bytes.md @@ -1,10 +1,12 @@ -# Potential Exfiltration by process total egress bytes +# Egress Network Connections with Total Bytes Greater than Threshold --- ## Metadata - **Author:** Elastic +- **Description:** Using aggregation and the ES|QL `SUM` function, this hunt identifies processes that performed egress connections with total bytes greater or equal to a defined maximum threshold. This may indicate exfiltration or long term command and control activity. + - **UUID:** `977d77f9-86e0-4df6-bdc7-aed87c048290` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -13,9 +15,9 @@ ```sql from logs-endpoint.events.network-* -| where @timestamp > now() - 8 hour -| where host.os.family == "windows" and event.category == "network" and - event.action == "disconnect_received" and +| where @timestamp > now() - 8 hour +| where host.os.family == "windows" and event.category == "network" and + event.action == "disconnect_received" and not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") | keep source.bytes, destination.address, process.executable, process.entity_id | stats total_bytes_out = sum(source.bytes) by process.entity_id, destination.address, process.executable @@ -25,10 +27,10 @@ from logs-endpoint.events.network-* ## Notes -- This hunt is not compatible with Sysmon event 3 (Network connection) and Windows security event 5156 as both don't log source.bytes. -- The use of host.os.family is to optimise the query and avoid timeout. You can duplicate the same query for other platforms (linux, macos etc.) +- This hunt is not compatible with Sysmon event 3 (Network connection) and Windows security event 5156 as both don't log `source.bytes`. +- The use of `host.os.family` is to optimise the query and avoid timeout. You can duplicate the same query for other platforms (linux, macos etc.) - Based on limited testing it's recommended to set the query time window to 8 hours. -- Pivoting by process.entity_id will allow further investigation (parent process, hash, child processes, other network events etc.). +- Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.). ## MITRE ATT&CK Techniques - [T1071](https://attack.mitre.org/techniques/T1071) diff --git a/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md b/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md index cc20e15371d..6c7a77c7097 100644 --- a/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md +++ b/hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md @@ -1,10 +1,12 @@ -# Rundll32 execution aggregated by cmdline +# Rundll32 Execution Aggregated by Command Line --- ## Metadata - **Author:** Elastic +- **Description:** This hunt aggregate Rundll32 execution by normalized `process.command_line` and returns instances that are unique by frequency. Rundll32 is one of the most abused binaries to proxy execution of malicious commands and modules. + - **UUID:** `30f37cd2-c1d8-4554-bb4a-ed76de9e6857` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -14,8 +16,8 @@ ```sql from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.name.caseless == "rundll32.exe" and +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and + to_lower(process.name) == "rundll32.exe" and not process.command_line rlike """.*(zzzzInvokeManagedCustomActionOutOfProc|GeneralTel.dll,RunInUserCxt|ShOpenVerbApplication|davclnt.dll,DavSetCookie|FileProtocolHandler|EDGEHTML.dll|FirewallControlPanel.dll,ShowNotificationDialog|printui.dll,PrintUIEntryDPIAware|Program Files|SHCreateLocalServerRunDll|ImageView_Fullscreen|StatusMonitorEntryPoint|Control_RunDLL|HotPlugSafeRemovalDriveNotification|AppxDeploymentClient.dll|acproxy.dll,PerformAutochkOperations|CapabilityAccessManagerDoStoreMaintenance|dfshim.dll|display.dll,ShowAdapterSettings|ForceProxyDetectionOnNextRun|PfSvWsSwapAssessmentTask|acmigration.dll,ApplyMigrationShims|LenovoBatteryGaugePackage.dll|-localserver|DriverStore|CnmDxPEntryPoint|DeferredDelete|DeviceProperties_RunDLL|AppxDeploymentClient.dll|spool\\DRIVERS|printui.dll,PrintUIEntry|DfdGetDefaultPolicyAndSMART|cryptext.dll,CryptExt|WininetPlugin.dll|ClearMyTracksByProcess|SusRunTask|OpenURL|CleanupTemporaryState).*""" | keep process.parent.name, process.command_line, host.id | eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") @@ -27,7 +29,7 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys ## Notes - Execution of DLLs from suspicious paths or with suspicious export function names or from suspicious parent should be further reviewed. -- Parents such as svchost, explorer.exe, wmiprvse.exe, winword.exe and others should be carefully reviewed. +- Parents such as svchost, `explorer.exe`, `wmiprvse.exe`, `winword.exe` and others should be carefully reviewed. ## MITRE ATT&CK Techniques - [T1127](https://attack.mitre.org/techniques/T1127) diff --git a/hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md b/hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md index 58f74c3f7ed..7e5f3769c62 100644 --- a/hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md +++ b/hunting/windows/docs/scheduled_task_creation_by_action_via_registry.md @@ -1,10 +1,12 @@ -# Scheduled tasks creation by action via registry +# Scheduled tasks Creation by Action via Registry --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for scheduled tasks creation by action using registry events. Scheduled tasks actions are saved under the TaskCache registry key in base64 encoded blob. Malware often abuse LOLBins to proxy execution or run executables from unusual paths, you can add more patterns to the query. + - **UUID:** `344c0690-ebc3-4794-b123-272a5c09c57b` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) - **Language:** `ES|QL` @@ -28,8 +30,7 @@ from logs-endpoint.events.registry-* ## Notes -- This hunt aggregate created scheduled tasks by action using registry events. -- Malware often abuse lolbins to proxy execution or run executables from unusual paths, you can add more patterns to the query. +- Malware often abuse LOLBins to proxy execution or run executables from unusual paths, you can add more patterns to the query. ## MITRE ATT&CK Techniques - [T1053](https://attack.mitre.org/techniques/T1053) diff --git a/hunting/windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md b/hunting/windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md similarity index 76% rename from hunting/windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md rename to hunting/windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md index 75e25e80ec8..685fcae5eb2 100644 --- a/hunting/windows/docs/scheduled_tasks_creation_with_low_occurrence_frequency.md +++ b/hunting/windows/docs/scheduled_tasks_creation_for_unique_hosts_by_task_command.md @@ -1,10 +1,12 @@ -# Scheduled tasks creation with low occurrence frequency +# Scheduled Tasks Creation for Unique Hosts by Task Command --- ## Metadata - **Author:** Elastic +- **Description:** Using aggregation and strings extraction, this hunt identifies instances where a scheduled task is created and set to run a command unique to a specific host. This could be the result of persistence as a Windows Scheduled Task. + - **UUID:** `75804319-122c-4bdc-976e-d6355bca0d78` - **Integration:** [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -16,23 +18,23 @@ from logs-system.security-default-* | where @timestamp > now() - 7 day | where host.os.family == "windows" and event.code == "4698" and event.action == "scheduled-task-created" /* parsing unstructured data from winlog message to extract a scheduled task Exec command */ -| grok message "(?.+)" | eval Command = replace(Command, "(|)", "") +| grok message "(?.+)" | eval Command = replace(Command, "(|)", "") | where Command is not null /* normalise task name by removing usersid and uuid string patterns */ -| eval TaskName = replace(winlog.event_data.TaskName, """((-S-1-5-.*)|\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})""", "") +| eval TaskName = replace(winlog.event_data.TaskName, """((-S-1-5-.*)|\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})""", "") /* normalise task name by removing random patterns in a file path */ | eval Task_Command = replace(Command, """(ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") /* normalize user home profile path */ | eval Task_Command = replace(Task_Command, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") | where Task_Command like "?*" and not starts_with(Task_Command, "C:\\Program Files") and not starts_with(Task_Command, "\"C:\\Program Files") -| stats tasks_count = count(*), hosts_count = count_distinct(host.id) by Task_Command, TaskName +| stats tasks_count = count(*), hosts_count = count_distinct(host.id) by Task_Command, TaskName | where hosts_count == 1 ``` ## Notes - This hunt returns the aggregation of created tasks by task name, command to execute and number of hosts where this task is present. -- Close attention should be paid to suspicious paths like C:\Users\Public and C:\ProgramData\ as well as lolbins. +- Close attention should be paid to suspicious paths like `C:\Users\Public and C:\ProgramData\` as well as LOLBins. ## MITRE ATT&CK Techniques - [T1053](https://attack.mitre.org/techniques/T1053) diff --git a/hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md b/hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md index 5d9bd80da3c..eb3ed872e2e 100644 --- a/hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md +++ b/hunting/windows/docs/suspicious_base64_encoded_powershell_commands.md @@ -1,10 +1,12 @@ -# Suspicious Base64 Encoded PowerShell Command +# Suspicious Base64 Encoded Powershell Command --- ## Metadata - **Author:** Elastic +- **Description:** This hunt identifies base64 encoded powershell commands in process start events and filters ones with suspicious keywords like downloaders and evasion related commands. + - **UUID:** `8bf800de-b3a2-4b36-9484-7d9dae2a1992` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -27,7 +29,8 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys ## Notes -- This hunt decode base64 obfuscated powershell commands in process start events and filter ones with suspicious keywords like downloaders and evasion related commands. +- This hunt can be expanded to include more evasion techniques and downloaders. +- Pivoting by `agent.id` can provide more context on the affected hosts. ## MITRE ATT&CK Techniques - [T1059](https://attack.mitre.org/techniques/T1059) diff --git a/hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md b/hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md index 72943cfdb0c..77291923421 100644 --- a/hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md +++ b/hunting/windows/docs/suspicious_dns_txt_record_lookups_by_process.md @@ -1,10 +1,13 @@ -# Suspicious DNS TXT Record lookups by process +# Suspicious DNS TXT Record Lookups by Process --- ## Metadata - **Author:** Elastic +- **Description:** Leveraging aggregation by process executable entities, this hunt identifies identifies a high number of DNS TXT record queries from same process. +Adversaries may leverage DNS TXT queries to stage malicious content or exfiltrate data. + - **UUID:** `0b7343f7-2d16-43c7-af28-9d1f012b1093` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) - **Language:** `ES|QL` @@ -12,20 +15,1583 @@ ## Query ```sql -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where host.os.family == "windows" and event.category == "network" and - event.action in ("lookup_requested", "DNSEvent (DNS query)") and - (dns.question.type == "TXT" or dns.answers.type == "TXT") and process.executable != "C:\\Windows\\system32\\svchost.exe" -| keep process.executable, process.entity_id -| stats occurrences = count(*) by process.entity_id, process.executable - /* threshold can be adjusted to your env */ -| where occurrences >= 50 +f``` + +```sql +r``` + +```sql +o``` + +```sql +m``` + +```sql + ``` + +```sql +l``` + +```sql +o``` + +```sql +g``` + +```sql +s``` + +```sql +-``` + +```sql +e``` + +```sql +n``` + +```sql +d``` + +```sql +p``` + +```sql +o``` + +```sql +i``` + +```sql +n``` + +```sql +t``` + +```sql +.``` + +```sql +e``` + +```sql +v``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +s``` + +```sql +.``` + +```sql +n``` + +```sql +e``` + +```sql +t``` + +```sql +w``` + +```sql +o``` + +```sql +r``` + +```sql +k``` + +```sql +-``` + +```sql +*``` + +```sql +,``` + +```sql + ``` + +```sql +l``` + +```sql +o``` + +```sql +g``` + +```sql +s``` + +```sql +-``` + +```sql +w``` + +```sql +i``` + +```sql +n``` + +```sql +d``` + +```sql +o``` + +```sql +w``` + +```sql +s``` + +```sql +.``` + +```sql +s``` + +```sql +y``` + +```sql +s``` + +```sql +m``` + +```sql +o``` + +```sql +n``` + +```sql +_``` + +```sql +o``` + +```sql +p``` + +```sql +e``` + +```sql +r``` + +```sql +a``` + +```sql +t``` + +```sql +i``` + +```sql +o``` + +```sql +n``` + +```sql +a``` + +```sql +l``` + +```sql +-``` + +```sql +*``` + +```sql + +``` + +```sql +|``` + +```sql + ``` + +```sql +w``` + +```sql +h``` + +```sql +e``` + +```sql +r``` + +```sql +e``` + +```sql + ``` + +```sql +h``` + +```sql +o``` + +```sql +s``` + +```sql +t``` + +```sql +.``` + +```sql +o``` + +```sql +s``` + +```sql +.``` + +```sql +f``` + +```sql +a``` + +```sql +m``` + +```sql +i``` + +```sql +l``` + +```sql +y``` + +```sql + ``` + +```sql +=``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +w``` + +```sql +i``` + +```sql +n``` + +```sql +d``` + +```sql +o``` + +```sql +w``` + +```sql +s``` + +```sql +"``` + +```sql + ``` + +```sql +a``` + +```sql +n``` + +```sql +d``` + +```sql + ``` + +```sql +e``` + +```sql +v``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +.``` + +```sql +c``` + +```sql +a``` + +```sql +t``` + +```sql +e``` + +```sql +g``` + +```sql +o``` + +```sql +r``` + +```sql +y``` + +```sql + ``` + +```sql +=``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +n``` + +```sql +e``` + +```sql +t``` + +```sql +w``` + +```sql +o``` + +```sql +r``` + +```sql +k``` + +```sql +"``` + +```sql + ``` + +```sql +a``` + +```sql +n``` + +```sql +d``` + +```sql + +``` + +```sql + ``` + +```sql + ``` + +```sql +e``` + +```sql +v``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +.``` + +```sql +a``` + +```sql +c``` + +```sql +t``` + +```sql +i``` + +```sql +o``` + +```sql +n``` + +```sql + ``` + +```sql +i``` + +```sql +n``` + +```sql + ``` + +```sql +(``` + +```sql +"``` + +```sql +l``` + +```sql +o``` + +```sql +o``` + +```sql +k``` + +```sql +u``` + +```sql +p``` + +```sql +_``` + +```sql +r``` + +```sql +e``` + +```sql +q``` + +```sql +u``` + +```sql +e``` + +```sql +s``` + +```sql +t``` + +```sql +e``` + +```sql +d``` + +```sql +"``` + +```sql +,``` + +```sql + ``` + +```sql +"``` + +```sql +D``` + +```sql +N``` + +```sql +S``` + +```sql +E``` + +```sql +v``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql + ``` + +```sql +(``` + +```sql +D``` + +```sql +N``` + +```sql +S``` + +```sql + ``` + +```sql +q``` + +```sql +u``` + +```sql +e``` + +```sql +r``` + +```sql +y``` + +```sql +)``` + +```sql +"``` + +```sql +)``` + +```sql + ``` + +```sql +a``` + +```sql +n``` + +```sql +d``` + +```sql + +``` + +```sql + ``` + +```sql + ``` + +```sql +(``` + +```sql +d``` + +```sql +n``` + +```sql +s``` + +```sql +.``` + +```sql +q``` + +```sql +u``` + +```sql +e``` + +```sql +s``` + +```sql +t``` + +```sql +i``` + +```sql +o``` + +```sql +n``` + +```sql +.``` + +```sql +t``` + +```sql +y``` + +```sql +p``` + +```sql +e``` + +```sql + ``` + +```sql +=``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +T``` + +```sql +X``` + +```sql +T``` + +```sql +"``` + +```sql + ``` + +```sql +o``` + +```sql +r``` + +```sql + ``` + +```sql +d``` + +```sql +n``` + +```sql +s``` + +```sql +.``` + +```sql +a``` + +```sql +n``` + +```sql +s``` + +```sql +w``` + +```sql +e``` + +```sql +r``` + +```sql +s``` + +```sql +.``` + +```sql +t``` + +```sql +y``` + +```sql +p``` + +```sql +e``` + +```sql + ``` + +```sql +=``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +T``` + +```sql +X``` + +```sql +T``` + +```sql +"``` + +```sql +)``` + +```sql + ``` + +```sql +a``` + +```sql +n``` + +```sql +d``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +x``` + +```sql +e``` + +```sql +c``` + +```sql +u``` + +```sql +t``` + +```sql +a``` + +```sql +b``` + +```sql +l``` + +```sql +e``` + +```sql + ``` + +```sql +!``` + +```sql +=``` + +```sql + ``` + +```sql +"``` + +```sql +C``` + +```sql +:``` + +```sql +\``` + +```sql +\``` + +```sql +W``` + +```sql +i``` + +```sql +n``` + +```sql +d``` + +```sql +o``` + +```sql +w``` + +```sql +s``` + +```sql +\``` + +```sql +\``` + +```sql +s``` + +```sql +y``` + +```sql +s``` + +```sql +t``` + +```sql +e``` + +```sql +m``` + +```sql +3``` + +```sql +2``` + +```sql +\``` + +```sql +\``` + +```sql +s``` + +```sql +v``` + +```sql +c``` + +```sql +h``` + +```sql +o``` + +```sql +s``` + +```sql +t``` + +```sql +.``` + +```sql +e``` + +```sql +x``` + +```sql +e``` + +```sql +"``` + +```sql + +``` + +```sql +|``` + +```sql + ``` + +```sql +k``` + +```sql +e``` + +```sql +e``` + +```sql +p``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +x``` + +```sql +e``` + +```sql +c``` + +```sql +u``` + +```sql +t``` + +```sql +a``` + +```sql +b``` + +```sql +l``` + +```sql +e``` + +```sql +,``` + +```sql + ``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +i``` + +```sql +t``` + +```sql +y``` + +```sql +_``` + +```sql +i``` + +```sql +d``` + +```sql + +``` + +```sql +|``` + +```sql + ``` + +```sql +s``` + +```sql +t``` + +```sql +a``` + +```sql +t``` + +```sql +s``` + +```sql + ``` + +```sql +o``` + +```sql +c``` + +```sql +c``` + +```sql +u``` + +```sql +r``` + +```sql +r``` + +```sql +e``` + +```sql +n``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql + ``` + +```sql +=``` + +```sql + ``` + +```sql +c``` + +```sql +o``` + +```sql +u``` + +```sql +n``` + +```sql +t``` + +```sql +(``` + +```sql +*``` + +```sql +)``` + +```sql + ``` + +```sql +b``` + +```sql +y``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +n``` + +```sql +t``` + +```sql +i``` + +```sql +t``` + +```sql +y``` + +```sql +_``` + +```sql +i``` + +```sql +d``` + +```sql +,``` + +```sql + ``` + +```sql +p``` + +```sql +r``` + +```sql +o``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql +s``` + +```sql +.``` + +```sql +e``` + +```sql +x``` + +```sql +e``` + +```sql +c``` + +```sql +u``` + +```sql +t``` + +```sql +a``` + +```sql +b``` + +```sql +l``` + +```sql +e``` + +```sql + +``` + +```sql + ``` + +```sql +/``` + +```sql +*``` + +```sql + ``` + +```sql +t``` + +```sql +h``` + +```sql +r``` + +```sql +e``` + +```sql +s``` + +```sql +h``` + +```sql +o``` + +```sql +l``` + +```sql +d``` + +```sql + ``` + +```sql +c``` + +```sql +a``` + +```sql +n``` + +```sql + ``` + +```sql +b``` + +```sql +e``` + +```sql + ``` + +```sql +a``` + +```sql +d``` + +```sql +j``` + +```sql +u``` + +```sql +s``` + +```sql +t``` + +```sql +e``` + +```sql +d``` + +```sql + ``` + +```sql +t``` + +```sql +o``` + +```sql + ``` + +```sql +y``` + +```sql +o``` + +```sql +u``` + +```sql +r``` + +```sql + ``` + +```sql +e``` + +```sql +n``` + +```sql +v``` + +```sql + ``` + +```sql +*``` + +```sql +/``` + +```sql + +``` + +```sql +|``` + +```sql + ``` + +```sql +w``` + +```sql +h``` + +```sql +e``` + +```sql +r``` + +```sql +e``` + +```sql + ``` + +```sql +o``` + +```sql +c``` + +```sql +c``` + +```sql +u``` + +```sql +r``` + +```sql +r``` + +```sql +e``` + +```sql +n``` + +```sql +c``` + +```sql +e``` + +```sql +s``` + +```sql + ``` + +```sql +>``` + +```sql +=``` + +```sql + ``` + +```sql +5``` + +```sql +0``` + +```sql + ``` ## Notes -- This hunt returns a list of processes unique pids and executable path that performs a high number of DNS TXT lookups. -- Pivoting by process.entity_id will allow further investigation (parent process, hash, child processes, other network events etc.). +- This hunt returns a list of processes unique pids and executable paths that performs a high number of DNS TXT lookups. +- Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.). ## MITRE ATT&CK Techniques - [T1071](https://attack.mitre.org/techniques/T1071) diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename.md new file mode 100644 index 00000000000..3a98c902341 --- /dev/null +++ b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename.md @@ -0,0 +1,77 @@ +# Unique Windows Services Creation by Service File Name + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the ES|QL `Replace` command we can also further remove random patterns to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and LOLBins. + +- **UUID:** `ebf79207-16dc-44f8-b10c-317d4a034bad` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) +- **Language:** `ES|QL` + +## Query + +```sql +from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and + registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and + process.executable != "C:\\Windows\\System32\\services.exe" +| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats hosts = count_distinct(host.id), occurrences = count(*) by process_path +/* unique process.executable found in one agent */ +| where hosts == 1 and occurrences == 1 +``` + +```sql +from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and + registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName + /* unique ServiceFileName observed in 1 host*/ +| where hosts == 1 and cc == 1 +``` + +```sql +from logs-system.security-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "configuration" and event.code == "4697" and + not winlog.event_data.ServiceFileName rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(winlog.event_data.ServiceFileName, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +``` + +```sql +from logs-system.system-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.code == "7045" and + not winlog.event_data.ImagePath rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +``` + +## Notes + +- This hunt also identifies services registry modification by unusual process based on number of hosts and occurrences history. +- Windows event IDs 4697 and 7045 are used to identify service creation and modification. +## MITRE ATT&CK Techniques + +- [T1543](https://attack.mitre.org/techniques/T1543) +- [T1543.003](https://attack.mitre.org/techniques/T1543/003) + +## License + +- `Elastic License v2` diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md deleted file mode 100644 index 1a5002562fa..00000000000 --- a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.md +++ /dev/null @@ -1,36 +0,0 @@ -# Unique Windows Services Creation by ServiceFileName - Elastic Defend Registry - Sysmon - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `ebf79207-16dc-44f8-b10c-317d4a034bad` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and - registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and - process.executable != "C:\\Windows\\System32\\services.exe" -| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats hosts = count_distinct(host.id), occurrences = count(*) by process_path -/* unique process.executable found in one agent */ -| where hosts == 1 and occurrences == 1 -``` - -## Notes - -- This hunt identify services registry modification by unusual process based on number of hosts and occurrences history. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md deleted file mode 100644 index 9d156cac125..00000000000 --- a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.md +++ /dev/null @@ -1,38 +0,0 @@ -# Unique Windows Services Creation by ServiceFileName - Elastic Defend - Sysmon Registry - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `688dc79d-f52a-49ad-829d-89343e68b0f7` -- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and - registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName - /* unique ServiceFileName observed in 1 host*/ -| where hosts == 1 and cc == 1 -``` - -## Notes - -- This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md deleted file mode 100644 index fcc0dbd89bf..00000000000 --- a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_4697.md +++ /dev/null @@ -1,36 +0,0 @@ -# Unique Windows Services Creation by ServiceFileName - Windows Security 4697 - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `b6b14385-4ed2-44af-98fe-dad5b1581174` -- **Integration:** [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-system.security-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "configuration" and event.code == "4697" and - not winlog.event_data.ServiceFileName rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(winlog.event_data.ServiceFileName, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -``` - -## Notes - -- This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md b/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md deleted file mode 100644 index 0a4813198a7..00000000000 --- a/hunting/windows/docs/unique_windows_services_creation_by_servicefilename_windows_security_7045.md +++ /dev/null @@ -1,36 +0,0 @@ -# Unique Windows Services Creation by ServiceFileName - Windows Security 7045 - ---- - -## Metadata - -- **Author:** Elastic -- **UUID:** `1749a45b-98f0-4b27-8c2f-2287230e52b7` -- **Integration:** [system](https://docs.elastic.co/integrations/system) -- **Language:** `ES|QL` - -## Query - -```sql -from logs-system.system-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.code == "7045" and - not winlog.event_data.ImagePath rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -``` - -## Notes - -- This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins. -## MITRE ATT&CK Techniques - -- [T1543](https://attack.mitre.org/techniques/T1543) -- [T1543.003](https://attack.mitre.org/techniques/T1543/003) - -## License - -- `Elastic License v2` diff --git a/hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md b/hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md index 3fd574ca4c3..bd5755a4943 100644 --- a/hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md +++ b/hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md @@ -1,10 +1,12 @@ -# Windows Command and Scripting Interpreter from unusual parent +# Windows Command and Scripting Interpreter from Unusual Parent Process --- ## Metadata - **Author:** Elastic +- **Description:** This hunt looks for unusual Microsoft native processes spawning `cmd.exe`, `powershell.exe` or `conhost.exe` and limited to a unique host. This could be normal rare behavior as well as an interactive shell activity from an injected parent process to execute system commands. + - **UUID:** `de929347-c04a-4a94-8be2-cbe87b25bb25` - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint), [windows](https://docs.elastic.co/integrations/windows), [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -14,9 +16,9 @@ ```sql from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.name.caseless in ("cmd.exe", "powershell.exe", "conhost.exe") and - (starts_with(process.parent.executable.caseless, "c:\\windows\\system32") or starts_with(process.parent.executable.caseless, "c:\\windows\\syswow64")) +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and + to_lower(process.name) in ("cmd.exe", "powershell.exe", "conhost.exe") and + (starts_with(to_lower(process.parent.executable), "c:\\windows\\system32") or starts_with(to_lower(process.parent.executable), "c:\\windows\\syswow64")) | keep process.name, process.parent.name, host.id | stats hosts = count_distinct(host.id), cc = count(*) by process.parent.name | where cc <= 10 and hosts == 1 @@ -24,8 +26,8 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys ## Notes -- Pivoting can be done via process.parent.name. -- Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn cmd.exe powershell.exe or conhost.exe, if so it's highly likely malicious. +- Further pivoting can be done via `process.parent.name`. +- Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn `cmd.exe`, `powershell.exe` or `conhost.exe`, if so it's highly likely malicious. ## MITRE ATT&CK Techniques - [T1059](https://attack.mitre.org/techniques/T1059) diff --git a/hunting/windows/docs/windows_logon_activity_by_source_ip.md b/hunting/windows/docs/windows_logon_activity_by_source_ip.md index f19f53ff9af..5c71659eeca 100644 --- a/hunting/windows/docs/windows_logon_activity_by_source_ip.md +++ b/hunting/windows/docs/windows_logon_activity_by_source_ip.md @@ -1,10 +1,12 @@ -# Windows logon activity by source IP +# Windows Logon Activity by Source IP --- ## Metadata - **Author:** Elastic +- **Description:** This hunt returns a summary of network logon activity by `source.ip` using Windows event IDs 4624 and 4625. The higher the number of failures, low success and multiple accounts the more suspicious the behavior is. + - **UUID:** `7bdea198-eb09-4eca-ae3d-bfc3b52c89a9` - **Integration:** [system](https://docs.elastic.co/integrations/system) - **Language:** `ES|QL` @@ -14,10 +16,10 @@ ```sql from logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and - event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and - source.ip is not null and - /* noisy failure status codes often associated to authentication misconfiguration */ +| where host.os.family == "windows" and + event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and + source.ip is not null and + /* noisy failure status codes often associated to authentication misconfiguration */ not (event.action == "logon-failed" and winlog.event_data.Status in ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")) | eval failed = case(event.action == "logon-failed", source.ip, null), success = case(event.action == "logged-in", source.ip, null) | stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(winlog.event_data.TargetUserName) by source.ip @@ -27,8 +29,7 @@ from logs-system.security-* ## Notes -- This hunt returns the total number of failed logons, successful ones and the number of unique account names grouped by source.ip. -- Pay close attention to IP addresses source of a high number of failures associated with low success attempts and high number of used accounts. +- Pay close attention to IP address sources with a high number of failed connections associated with low success attempts and high number of user accounts. ## MITRE ATT&CK Techniques - [T1110](https://attack.mitre.org/techniques/T1110) diff --git a/hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml b/hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml index a59a13ddad0..4fea380c3ba 100644 --- a/hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml +++ b/hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml @@ -1,22 +1,23 @@ [hunt] author = "Elastic" +description = "This hunt attempts to identify remote process injection by aggregating Sysmon `CreateRemoteThread` events by source process and returns the ones that we observed in only one unique host." integration = ["windows"] uuid = "0545f23f-84a7-4b88-9b5b-b8cfcfdc9276" -name = "CreateRemoteThread by source process with low occurrence" +name = "Low Occurrence Rate of CreateRemoteThread by Source Process" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt aggregates Sysmon CreateRemoteThread events by source process and returns the ones that we observed in only one unique host. This may indicate remote process injection.", - "Adding winlog.event_data.TargetImage to the group by clause can be beneficial but may introduce more legit hits.", + "Adding `winlog.event_data.TargetImage` to the aggregation clause can be beneficial but may introduce more false-positives.", ] mitre = ["T1055"] - -query = ''' -from logs-windows.sysmon_operational-* +query = [ +''' +from logs-windows.sysmon_operational-* | where @timestamp > now() - 7 day | where host.os.family == "windows" and event.category == "process" and event.action == "CreateRemoteThread" | eval source_process = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") | stats cc = count(*), hosts = count_distinct(host.id) by source_process /* unique source and target processes combined and observed in 1 host */ | where hosts == 1 and cc == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml b/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml new file mode 100644 index 00000000000..cdbfab8145e --- /dev/null +++ b/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml @@ -0,0 +1,50 @@ +[hunt] +author = "Elastic" +description = "This hunt identifies when a process loads a DLL normally located in `System32` or `SysWOW64` folders from an unusual path. Adversaries may execute their own malicious payloads by side-loading malicious DLLs. The host count also should help exclude false-positives by looking at low occurrences when this abnormal behavior is limited to unique agents." +integration = ["endpoint", "windows"] +uuid = "87c97865-fdaa-48b2-bfa6-67bed7cf56ef" +name = "DLL Hijack via Masquerading as Microsoft Native Libraries" +language = "ES|QL" +license = "Elastic License v2" +mitre = ["T1574", "T1574.001"] +notes = [ + "This hunt has two optional queries, one for Elastic Defend data and another for Sysmon data.", + "This hunt requires the creation of an [enrichment policy](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql-enrich-data.html) to use with the ES|QL (ENRICH command).", + "The `dll.hash.sha256` field can be used to pivot and further investigate the DLL origin and purpose.", + "Paths like `C:\\Users\\Public and C:\\ProgramData\\` are often observed in malware employing DLL side-loading.", +] + +query = [ +''' +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and + not dll.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| keep dll.name, dll.path, dll.hash.sha256, process.executable, host.id + /* steps how to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c */ +| ENRICH libs-policy-defend + /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ +| where native == "yes" and not starts_with(dll.path, "C:\\Windows\\assembly\\NativeImages") + /* normalize paths by removing random patterns */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), + dll_path = replace(dll.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats host_count = count_distinct(host.id) by dll.name, dll_path, process_path, dll.hash.sha256 +| sort host_count asc +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and + not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| keep file.name, file.path, file.hash.sha256, process.executable, host.id + /* steps to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c - just replace dll by file */ +| ENRICH libs-policy-sysmon + /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ +| where native == "yes" and not starts_with(file.path, "C:\\Windows\\assembly\\NativeImages") + /* normalize paths by removing random patterns */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), + dll_path = replace(file.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats host_count = count_distinct(host.id) by file.name, dll_path, process_path, file.hash.sha256 +| sort host_count asc +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.toml b/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.toml deleted file mode 100644 index cc5b45c0138..00000000000 --- a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_elastic_defend.toml +++ /dev/null @@ -1,30 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "87c97865-fdaa-48b2-bfa6-67bed7cf56ef" -name = "Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt require the creation of an enrichment policy to use with the ES|QL (ENRICH command).", - "The `dll.hash.sha256` field can be used to pivot and further investigate the DLL origin and purpose.", - "Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading.", -] -mitre = ["T1574", "T1574.001"] - -query = ''' -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and - not dll.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| keep dll.name, dll.path, dll.hash.sha256, process.executable, host.id - /* steps how to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c */ -| ENRICH libs-policy-defend - /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ -| where native == "yes" and not starts_with(dll.path, "C:\\Windows\\assembly\\NativeImages") - /* normalize paths by removing random patterns */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), - dll_path = replace(dll.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats host_count = count_distinct(host.id) by dll.name, dll_path, process_path, dll.hash.sha256 -| sort host_count asc -''' \ No newline at end of file diff --git a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.toml b/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.toml deleted file mode 100644 index f88d93c97b6..00000000000 --- a/hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries_sysmon.toml +++ /dev/null @@ -1,31 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "68314691-1460-4ac5-ae0d-6b3514e43254" -name = "Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt require the creation of an enrichment policy to use with the ES|QL (ENRICH command).", - "Using dll.hash.sha256 for Elastic Defend or file.hash.sha256 for Sysmon you can pivot to further investigate the DLL origin and purpose.", - "Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading.", - "Process code signature information is not captured in Sysmon Image Load Events (not present in the ES|QL hunt).", -] -mitre = [ "T1574", "T1574.001",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and - not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| keep file.name, file.path, file.hash.sha256, process.executable, host.id - /* steps to create DL enrichment policy https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c - just replace dll by file */ -| ENRICH libs-policy-sysmon - /* if the DLL is normally located is system32 or syswow64 folders, native tag will be equal to yes */ -| where native == "yes" and not starts_with(file.path, "C:\\Windows\\assembly\\NativeImages") - /* normalize paths by removing random patterns */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), - dll_path = replace(file.path, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats host_count = count_distinct(host.id) by file.name, dll_path, process_path, file.hash.sha256 -| sort host_count asc -''' \ No newline at end of file diff --git a/hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml b/hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml index 2b3f0ab80e6..96f9ef336ce 100644 --- a/hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml +++ b/hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml @@ -1,11 +1,13 @@ [hunt] author = "Elastic" +description = "This hunt detects processes named as legit Microsoft native binaries located in the system32 folder. Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. " integration = ["endpoint"] uuid = "93a72542-a1f7-4407-9175-8f066343db60" -name = "Detect masquerading attempts as native Windows binaries" +mitre = ["T1036"] +name = "Masquerading Attempts as Native Windows Binaries" language = "ES|QL" license = "Elastic License v2" -query = ''' +query = [''' from logs-endpoint.events.process-* | where @timestamp > NOW() - 7 day | where event.type == "start" and event.action == "start" and host.os.name == "Windows" and not starts_with(process.executable, "C:\\Program Files\\WindowsApps\\") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\") and process.name != "setup.exe" @@ -17,10 +19,10 @@ from logs-endpoint.events.process-* | stats count_system_bin = count(system_bin), count_non_system_bin = count(non_system_bin) by process.name.caseless, host.id /* filter where the same process.name is present in both system_bin and non_system_bin */ | where count_system_bin >= 1 and count_non_system_bin >= 1 -''' +'''] notes = [ - "Output of the query is the process.name and host.id, you can pivot by host.id and process.name(non Microsoft signed) to find the specific suspicious instances.", - "Potential false positives include processes with missing code signature details due to enrichment bugs.", + "Output of the query is the `process.name` and `host.id` where you can pivot by `host.id` and `process.name` (non Microsoft signed) to find the specific suspicious instances.", + "Potential false-positives include processes with missing code signature details due to enrichment bugs.", "The queried index must capture process start events with code signature information (e.g. Windows event 4688 is not supported).", ] -mitre = ["T1036"] + diff --git a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml b/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml new file mode 100644 index 00000000000..9374520bda0 --- /dev/null +++ b/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml @@ -0,0 +1,45 @@ +[hunt] +author = "Elastic" +description = """This hunt identifies instances where a signed Windows process attempts to load an unsigned DLL from the same process folder. Matches are limited to a unique host with low library load occurrence. Adversaries may execute their own malicious payloads by side-loading malicious DLLs.""" +integration = ["endpoint", "windows"] +uuid = "bcdb7c29-1312-4974-8f2e-10ddeb09cf5c" +name = "Rare DLL Side-Loading by Occurrence" +language = "ES|QL" +license = "Elastic License v2" +query = [ +''' +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and dll.Ext.relative_file_creation_time <= 86400 +| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) +| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) +| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and process.name != dll.name +| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") +| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, dll.name, process.name, dll.hash.sha256 +/* total_count can be adjusted to higher or lower values depending on env */ +| where host_count == 1 and total_count <= 10 | keep total_count, host_count, dll_folder, dll.name, process.name, dll.hash.sha256 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and + not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" +| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) +| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) +| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and file.name != process.name +/* paths normalization by removing random patterns */ +| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") +| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, file.name, process.name, file.hash.sha256 +/* total_count can be adjusted to higher or lower values depending on env */ +| where host_count == 1 and total_count <= 10 +| keep total_count, host_count, dll_folder, file.name, process.name, file.hash.sha256 +''' +] +notes = [ + 'This hunt has two optional queries, one for Elastic Defend data and another for Sysmon data.', + 'Based on the returned results you can further investigate suspicious DLLs by sha256 and library path.', + 'Paths like `C:\\Users\\Public` and `C:\\ProgramData\\` are often observed in malware employing DLL side-loading.', + 'Elastic Defned DLL Events include `dll.Ext.relative_file_creation_time` which help us limit the hunt to recently dropped DLLs.' +] +mitre = ["T1574", "T1574.002"] diff --git a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_elastic_defend.toml b/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_elastic_defend.toml deleted file mode 100644 index 8764dffaa13..00000000000 --- a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_elastic_defend.toml +++ /dev/null @@ -1,26 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "bcdb7c29-1312-4974-8f2e-10ddeb09cf5c" -name = "Detect Rare DLL SideLoad by Occurrence - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -query = ''' -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and dll.Ext.relative_file_creation_time <= 86400 -| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) -| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) -| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and process.name != dll.name -| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") -| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, dll.name, process.name, dll.hash.sha256 -/* total_count can be adjusted to higher or lower values depending on env */ -| where host_count == 1 and total_count <= 10 | keep total_count, host_count, dll_folder, dll.name, process.name, dll.hash.sha256 -''' -notes = [ - 'Based on the returned results you can further investigate suspicious DLLs by sha256 and library path.', - 'Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading.', - 'Elastic Defned DLL Events include dll.Ext.relative_file_creation_time which help us limit the hunt to recently dropped DLLs.' -] -mitre = ["T1574", "T1574.002"] diff --git a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_sysmon.toml b/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_sysmon.toml deleted file mode 100644 index 37dfd5e9229..00000000000 --- a/hunting/windows/queries/detect_rare_dll_sideload_by_occurrence_sysmon.toml +++ /dev/null @@ -1,28 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "0df1e142-7d70-4112-be8d-6c60ac812883" -name = "Detect Rare DLL SideLoad by Occurrence - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and file.code_signature.status != "Valid" and - not file.path rlike """[c-fC-F]:\\(Windows|windows|WINDOWS)\\(System32|SysWOW64|system32|syswow64)\\[a-zA-Z0-9_]+.dll""" -| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) -| eval process_folder = substring(process.executable, 1, length(process.executable) - (length(process.name) + 1)) -| where process_folder is not null and dll_folder is not null and process_folder == dll_folder and file.name != process.name -/* paths normalization by removing random patterns */ -| eval dll_folder = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), process_folder = replace(process_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", ""), dll_folder = replace(dll_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\"), process_folder = replace(process_folder, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") -| stats host_count = count_distinct(host.id), total_count = count(*) by dll_folder, file.name, process.name, file.hash.sha256 -/* total_count can be adjusted to higher or lower values depending on env */ -| where host_count == 1 and total_count <= 10 -| keep total_count, host_count, dll_folder, file.name, process.name, file.hash.sha256 -''' -notes = [ - 'Based on the returned results you can further investigate suspicious DLLs by sha256 and library path.', - 'Paths like C:\\Users\\Public and C:\\ProgramData\\ are often observed in malware employing DLL side-loading.', - 'Elastic Defned DLL Events include dll.Ext.relative_file_creation_time which help us limit the hunt to recently dropped DLLs.' -] -mitre = ["T1574", "T1574.002"] diff --git a/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml b/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml new file mode 100644 index 00000000000..60e6a54b734 --- /dev/null +++ b/hunting/windows/queries/detect_rare_lsass_process_access_attempts.toml @@ -0,0 +1,40 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies instances where a process attempts to open the Local Security Authority Subsystem Service (LSASS) memory and where the number of occurences is limited to one unique agent and a low number of attempts. This may indicate either a rare legitimate condition or a malicious process attempting to obtain credentials or inject code into the LSASS. +""" +integration = ["endpoint", "windows"] +uuid = "3978e183-0b70-4e1c-8c40-24e367f6db5a" +name = "Rare LSASS Process Access Attempts" +language = "ES|QL" +license = "Elastic License v2" +query = [ +''' +from logs-endpoint.events.api* +| where @timestamp > NOW() - 7 day +| where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and + Target.process.name == "lsass.exe" +| keep process.executable.caseless, host.id + /* normalize process paths to reduce known random patterns in process.executable */ +| eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats occurences = count(process), agents = count_distinct(host.id) by process +| where agents == 1 and occurences <= 10 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where event.category == "process" and host.os.family == "windows" and event.action == "ProcessAccess" and + winlog.event_data.TargetImage in ("C:\\Windows\\system32\\lsass.exe", "c:\\Windows\\system32\\lsass.exe", "c:\\Windows\\System32\\lsass.exe") +| keep process.executable, host.id + /* normalize process paths to reduce known random patterns in process.executable */ +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path +| where agents == 1 and occurences <= 10 +''' +] +notes = [ + "Based on the process.executable and process.name you can pivot and investigate further for the matching instances.", + "Potential false-positives include rare legitimate conditions that may trigger this behavior due to third-party software or LSASS crashing.", +] +mitre = ["T1003", "T1003.001"] diff --git a/hunting/windows/queries/detect_rare_lsass_process_access_attempts_elastic_defend.toml b/hunting/windows/queries/detect_rare_lsass_process_access_attempts_elastic_defend.toml deleted file mode 100644 index 2fab804ef9b..00000000000 --- a/hunting/windows/queries/detect_rare_lsass_process_access_attempts_elastic_defend.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "3978e183-0b70-4e1c-8c40-24e367f6db5a" -name = "Detect Rare LSASS Process Access Attempts - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -query = ''' -from logs-endpoint.events.api* -| where @timestamp > NOW() - 7 day -| where event.category == "api" and host.os.family == "windows" and process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and - Target.process.name == "lsass.exe" -| keep process.executable.caseless, host.id - /* normalize process paths to reduce known random patterns in process.executable */ -| eval process = replace(process.executable.caseless, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats occurences = count(process), agents = count_distinct(host.id) by process -| where agents == 1 and occurences <= 10 -''' -notes = [ - "Based on the process.executable and process.name you can pivot and investigate further the matching instances.", - "Potential false positives include rare legit condition that may trigger this behavior due to third party software or Lsass crash.", -] -mitre = ["T1003", "T1003.001"] diff --git a/hunting/windows/queries/detect_rare_lsass_process_access_attempts_sysmon.toml b/hunting/windows/queries/detect_rare_lsass_process_access_attempts_sysmon.toml deleted file mode 100644 index b74087bdf1a..00000000000 --- a/hunting/windows/queries/detect_rare_lsass_process_access_attempts_sysmon.toml +++ /dev/null @@ -1,24 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "3978e183-0b70-4e1c-8c40-24e367f6db5a" -name = "Detect Rare LSASS Process Access Attempts - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where event.category == "process" and host.os.family == "windows" and event.action == "ProcessAccess" and - winlog.event_data.TargetImage in ("C:\\Windows\\system32\\lsass.exe", "c:\\Windows\\system32\\lsass.exe", "c:\\Windows\\System32\\lsass.exe") -| keep process.executable, host.id - /* normalize process paths to reduce known random patterns in process.executable */ -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats occurences = count(process_path), agents = count_distinct(host.id) by process_path -| where agents == 1 and occurences <= 10 -''' -notes = [ - "Based on the process.executable and process.name you can pivot and investigate further the matching instances.", - "Potential false positives include rare legit condition that may trigger this behavior due to third party software or Lsass crash.", -] -mitre = ["T1003", "T1003.001"] diff --git a/hunting/windows/queries/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.toml b/hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml similarity index 56% rename from hunting/windows/queries/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.toml rename to hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml index 67486279d51..d14755d19d5 100644 --- a/hunting/windows/queries/doamin_names_queries_via_lolbins_and_with_low_occurence_frequency.toml +++ b/hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml @@ -1,22 +1,26 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for DNS queries performed by commonly abused Microsoft binaries that perform remote file transfer or binary proxy execution. Aggregations for the number of occurrences is limited to one host to reduce the number of potentially legitimate hits. +""" integration = ["endpoint", "windows"] uuid = "ebf8eb13-c98a-4d2c-8bdb-3f72a3a3961b" -name = "Doamin Names queries via Lolbins and with low occurence frequency" +name = "DNS Queries via LOLBins with Low Occurence Frequency" language = "ES|QL" license = "Elastic License v2" notes = [ - "Utilities like curl and SSL verification web-servvices are noisy, while others are rare like scripting utilities and are worth further investigation.", - "Connection to legit domains like github, discord, telegram and many other legit web-services by lolbins is still suspicious and require further investigation.", + "Utilities like curl and SSL verification for web services are noisy, while others are rare such as scripting utilities and are worth further investigation.", + "Connection to legit domains like Github, Discord, Telegram and many other legit web services by LOLBins is still suspicious and require further investigation.", ] -mitre = [ "T1071",] - -query = ''' +mitre = [ "T1071"] +query = [ +''' from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and event.category == "network" and - event.action in ("lookup_requested", "DNSEvent (DNS query)") and - process.name in ("powershell.exe", "rundll32.exe", "certutil.exe", "curl.exe", "wget.exe", "CertReq.exe", "bitsadmin.exe", "mshta.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "regsvr32.exe", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe") and dns.question.name rlike """.+\.[a-z-A-Z]{2,3}""" +| where @timestamp > now() - 7 day and host.os.family == "windows" and event.category == "network" and + event.action in ("lookup_requested", "DNSEvent (DNS query)") and + process.name in ("powershell.exe", "rundll32.exe", "certutil.exe", "curl.exe", "wget.exe", "CertReq.exe", "bitsadmin.exe", "mshta.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "cscript.exe", "msbuild.exe", "regsvr32.exe", "MSBuild.exe", "InstallUtil.exe", "RegAsm.exe", "RegSvcs.exe", "msxsl.exe", "CONTROL.EXE", "Microsoft.Workflow.Compiler.exe", "msiexec.exe") and dns.question.name rlike """.+\.[a-z-A-Z]{2,3}""" | keep process.name, dns.question.name, host.id | stats occurrences = count(*), hosts = count_distinct(host.id) by process.name, dns.question.name | where hosts == 1 -''' \ No newline at end of file +''', +] \ No newline at end of file diff --git a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml new file mode 100644 index 00000000000..e4c7d0a2346 --- /dev/null +++ b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml @@ -0,0 +1,45 @@ +[hunt] +author = "Elastic" +description = """ +This hunt helps identify drivers loaded once on a unique host and with a unique hash over a 15 day period of time. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode. +""" +integration = ["endpoint", "windows", "system"] +uuid = "99818ad6-c242-4da7-a41a-df64fe7314d6" +name = "Low Occurrence of Drivers Loaded on Unique Hosts" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt has three optional queries, one for Elastic Defend data, another for Sysmon data and the last one for Windows 7045 events.", + "Further investigation can be done pivoting by `dll.pe.imphash` or `dll.name.`", + "`dll.Ext.relative_file_creation_time` is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).", + "Aggregation can also be done by `dll.hash.sha256` / `file.hash.sha256` but will return more results.", + "Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).", +] +mitre = [ "T1068"] +query = [ +''' +from logs-endpoint.events.library-* +| where @timestamp > now() - 15 day +| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900 +| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash +| where host_count == 1 and total_count == 1 and hash_count == 1 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > now() - 15 day +| where host.os.family == "windows" and event.category == "driver" +| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name +| where host_count == 1 and total_count == 1 and hash_count == 1 +''', +''' +from logs-system.system-* +| where @timestamp > now() - 15day +| where host.os.family == "windows" and event.code == "7045" and + winlog.event_data.ServiceType == "kernel mode driver" +| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_elastic_defend.toml b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_elastic_defend.toml deleted file mode 100644 index baa16b71231..00000000000 --- a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_elastic_defend.toml +++ /dev/null @@ -1,22 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "99818ad6-c242-4da7-a41a-df64fe7314d6" -name = "Drivers Load with low occurrence frequency - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode.", - "dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).", - "aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results.", - "Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).", -] -mitre = [ "T1068",] - -query = ''' -from logs-endpoint.events.library-* -| where @timestamp > now() - 15 day -| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900 -| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash -| where host_count == 1 and total_count == 1 and hash_count == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_sysmon.toml b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_sysmon.toml deleted file mode 100644 index 3e9ed78776d..00000000000 --- a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_sysmon.toml +++ /dev/null @@ -1,22 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "6bb90aba-af6b-4128-a9b2-160e164a15ff" -name = "Drivers Load with low occurrence frequency - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode.", - "dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).", - "aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results.", - "Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).", -] -mitre = [ "T1068",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > now() - 15 day -| where host.os.family == "windows" and event.category == "driver" -| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name -| where host_count == 1 and total_count == 1 and hash_count == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_windows_7045.toml b/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_windows_7045.toml deleted file mode 100644 index 6fe4224aede..00000000000 --- a/hunting/windows/queries/drivers_load_with_low_occurrence_frequency_windows_7045.toml +++ /dev/null @@ -1,26 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["system"] -uuid = "bc4848ce-5323-42b4-a559-3333c11ca938" -name = "Drivers Load with low occurrence frequency - Windows 7045" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt helps identify drivers loaded once, on a unique host and with a unique hash over a 15 days period of time. Further investigation can be done pivoting by dll.pe.imphash or dll.name. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode.", - "dll.Ext.relative_file_creation_time is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).", - "aggregation can be done also by dll.hash.sha256 / file.hash.sha256 but will return more results.", - "Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).", -] -mitre = [ "T1068",] - -query = ''' -from logs-system.system-* -| where @timestamp > now() - 15day -| where host.os.family == "windows" and event.code == "7045" and - winlog.event_data.ServiceType == "kernel mode driver" -| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.toml b/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.toml deleted file mode 100644 index d57b7cd5131..00000000000 --- a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user-_elastic_defend_sysmon.toml +++ /dev/null @@ -1,24 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "fe01a8a5-6367-4c4c-a57b-be513ab80e42" -name = "Excessive RDP Network Activity by Source Host and User- Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for high number of Remote Desktop connections from same host and user.name to more than a defined threshold of unique destination Ip addresses. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol.", - "Further investigation can done pivoting by host.id and user name.", - "Depending on normal SysAdmin RDP activity the 10 threshold can be adjusted to reduce normal noisy activity.", -] -mitre = [ "T1021", "T1021.001",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and - network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 -| keep destination.ip, host.id, user.name -| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name - /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ -| where count_unique_dst >= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml b/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml new file mode 100644 index 00000000000..607fc20fa45 --- /dev/null +++ b/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml @@ -0,0 +1,37 @@ +[hunt] +author = "Elastic" +description = """ +This hunt looks for a high occurrence of remote desktop connections from the same host and user. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol (RDP). +""" +integration = ["endpoint", "windows"] +uuid = "fe01a8a5-6367-4c4c-a57b-be513ab80e42" +name = "Excessive RDP Network Activity by Host and User" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "Further investigation can done pivoting by `host.id` and `user.name`.", + "Depending on normal SysAdmin RDP activity, the threshold of 10 can be adjusted to reduce normal noisy activity.", + "The second query uses Windows Security log event ID 4624 to summarize numbers of RDP connections by `source.ip` and `user.name` and duration." +] +mitre = [ "T1021", "T1021.001"] + +query = [ +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and + network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 +| keep destination.ip, host.id, user.name +| stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name + /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ +| where count_unique_dst >= 10 +''', +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and process.name == "svchost.exe" and network.direction == "ingress" and + network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 +| stats agents = count_distinct(host.id) by source.ip +| where agents >= 10 +''' +] diff --git a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.toml b/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.toml deleted file mode 100644 index 3b5d03a41de..00000000000 --- a/hunting/windows/queries/excessive_rdp_network_activity_by_source_host_elastic_defend_sysmon.toml +++ /dev/null @@ -1,21 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "6ff3a518-3bf4-4e7d-9a66-2ef7aaa68cfc" -name = "Excessive RDP Network Activity by Source Host - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for high number of Remote Desktop connections from same host and user.name to more than a defined threshold of unique destination Ip addresses. This could be a sign of discovery or lateral movement via the Remote Desktop Protocol.", - "Further investigation can done pivoting by host.id and user name.", - "Depending on normal SysAdmin RDP activity the 10 threshold can be adjusted to reduce normal noisy activity.",] -mitre = [ "T1021", "T1021.001",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and process.name == "svchost.exe" and network.direction == "ingress" and - network.transport == "tcp"and destination.port == 3389 and source.port >= 49152 -| stats agents = count_distinct(host.id) by source.ip -| where agents >= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml b/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml index 5ca5fce97b9..8292137ebd3 100644 --- a/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml +++ b/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml @@ -1,23 +1,26 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for a high occurrence of SMB connections from the same process by unique destination IP addresses. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of SMB scanning or lateral movement via remote services that depend on the SMB protocol. +""" integration = ["endpoint", "windows"] uuid = "6949135b-76d7-47a3-ae95-ef482508fb7c" -name = "Excessive SMB Network Activity by process Id" +name = "Excessive SMB Network Activity by Process ID" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt looks for high number of SMB connections from same process to more than a defined threshold of unique destination Ip addresses. This could be a sign of SMB scanning or some lateral movement via remote services that depend on SMB protocol.", - "Further investigation can done pivoting by process.entity_id and host.id.", - "Maximum number of unique destination.ip by process can be adjusted to your environment to reduce normal noisy hosts by Id.",] + "Further investigation can done pivoting by `process.entity_id` and `host.id.`", + "Maximum number of unique `destination.ip` by process can be adjusted to your environment to reduce normal noisy hosts by process ID.",] mitre = [ "T1021", "T1021.002",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "network" and network.direction == "egress" and +query = [ +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "network" and network.direction == "egress" and network.transport == "tcp"and destination.port == 445 and source.port >= 49152 and process.pid == 4 | keep destination.ip, process.entity_id, host.id | stats count_unique_dst = count_distinct(destination.ip) by process.entity_id, host.id /* threshold set to 20 but can be adjusted to reduce normal baseline in your env */ | where count_unique_dst >= 20 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml new file mode 100644 index 00000000000..94df6676a50 --- /dev/null +++ b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml @@ -0,0 +1,39 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies executable file creation by an unusual Microsoft native binary. This could be the result of +code injection or some other form of exploitation for defense evasion. +""" +integration = ["endpoint", "windows"] +uuid = "3b2900fe-74d9-4c49-b3df-cbeceb02e841" +name = "Executable File Creation by an Unusual Microsoft Binary" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt includes two optional queries, one for Elastic Defend data and another for Sysmon data.", + "Sysmon file events don't populate file header and process code signature information thus we use `file.extension`.", + "Some exploits may result in the creation of an executable file by the exploited process.", + "Further investigation can be done by pivoting on `process.executable` and filtering for executable file creation.", +] +mitre = [ "T1211", "T1055",] +query = [ +''' +from logs-endpoint.events.file-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action == "creation" and + starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and + starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" +| keep process.executable, host.id +| stats occurences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurences <= 10 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and + file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" +| keep process.executable, host.id +| stats occurences = count(*), agents = count_distinct(host.id) by process.executable +| where agents == 1 and occurences <= 10 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.toml b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.toml deleted file mode 100644 index 12708944beb..00000000000 --- a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_elastic_defend.toml +++ /dev/null @@ -1,24 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "3b2900fe-74d9-4c49-b3df-cbeceb02e841" -name = "Executable File creation by an Unusual Microsoft Binary - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Sysmon file event don't populate file header and process code signature information thus the use of file.extension.", - "Some exploits may result in the creation of an executable file by the exploited process.", - "Further investigation can be done pivoting by process.executable and filter for executable file creation.", -] -mitre = [ "T1211", "T1055",] - -query = ''' -from logs-endpoint.events.file-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action == "creation" and - starts_with(file.Ext.header_bytes, "4d5a") and process.code_signature.status == "trusted" and - starts_with(process.code_signature.subject_name, "Microsoft") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" -| keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.toml b/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.toml deleted file mode 100644 index e8454e89c89..00000000000 --- a/hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary_sysmon.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "36c94354-9d6e-4dc5-b2aa-a7cf578a4169" -name = "Executable File creation by an Unusual Microsoft Binary - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Sysmon file event don't populate file header and process code signature information thus the use of file.extension.", - "Some exploits may result in the creation of an executable file by the exploited process.", - "Further investigation can be done pivoting by process.executable and filter for executable file creation.", -] -mitre = [ "T1211", "T1055",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action == "FileCreate" and - file.extension in ("exe", "dll") and process.executable rlike """[c-fC-F]:\\Windows\\(System32|SysWOW64)\\[a-zA-Z0-9_]+.exe""" -| keep process.executable, host.id -| stats occurences = count(*), agents = count_distinct(host.id) by process.executable -| where agents == 1 and occurences <= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency.toml b/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency.toml deleted file mode 100644 index 5da7f9f9bab..00000000000 --- a/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency.toml +++ /dev/null @@ -1,24 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "fd3f9982-fd8c-4f0f-bbe6-e589752c34db" -name = "Execution via Network Logon by occurrence frequency" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above.", - "Execution via legit Microsoft processes like powershell and cmd need to further investigated via aggregation by process.command_line.", - "Aggregation can be also done by process.executable, normalizing process path by removing random patterns using the REPLACE function via regex.", -] -mitre = [ "T1021",] - -query = ''' -from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and - /* network logon type and the execution is within 30 seconds of the logon time */ - process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 -| stats total = count(*), hosts = count_distinct(host.id) by process.hash.sha256, process.Ext.session_info.client_address, user.name, process.parent.name - /* unique hash limited to one host and number of execution is 1 */ -| where hosts == 1 and total == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml b/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml index ab7da37ec48..0f05183e689 100644 --- a/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml +++ b/hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml @@ -1,24 +1,40 @@ [hunt] author = "Elastic" +description = """ +This hunt aggregates process execution and remote network logons by source address, account name and process hash. It then limits the results by unique host within a 7 day period. This may indicate lateral movement via remote services. +""" integration = ["endpoint"] uuid = "ae07c580-290e-4421-add8-d6ca30509b6a" -name = "Execution via Network Logon by occurrence frequency by top Source IP" +name = "Frequency of Process Execution via Network Logon by Source Address" language = "ES|QL" license = "Elastic License v2" notes = [ - "process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above.", - "Execution via legit Microsoft processes like powershell and cmd need to further investigated via aggregation by process.command_line.", - "Aggregation can be also done by process.executable, normalizing process path by removing random patterns using the REPLACE function via regex.", + "The second query highest occurrence of source addresses/accounts performing remote process execution", + "`process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+ and above.", + "Execution via legitimate Microsoft processes for PowerShell and cmd need to be further investigated via aggregation by `process.command_line`.", + "Aggregation can be also done by `process.executable`, normalizing process path by removing random patterns using the ES|QL REPLACE function.", ] mitre = [ "T1021",] -query = ''' +query = [ +''' from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and /* network logon type and the execution is within 30 seconds of the logon time */ process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 | stats total = count(*) by process.Ext.session_info.client_address, user.name /* sort by top source.ip and account */ | sort total desc -''' \ No newline at end of file +''', +''' +from logs-endpoint.events.process-* +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and + /* network logon type and the execution is within 30 seconds of the logon time */ + process.Ext.session_info.logon_type == "Network" and process.Ext.session_info.relative_logon_time <= 30 +| stats total = count(*), hosts = count_distinct(host.id) by process.hash.sha256, process.Ext.session_info.client_address, user.name, process.parent.name + /* unique hash limited to one host and number of execution is 1 */ +| where hosts == 1 and total == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_remote_services_by_client_address.toml b/hunting/windows/queries/execution_via_remote_services_by_client_address.toml index 6235064514b..b84ccd6668f 100644 --- a/hunting/windows/queries/execution_via_remote_services_by_client_address.toml +++ b/hunting/windows/queries/execution_via_remote_services_by_client_address.toml @@ -1,23 +1,28 @@ [hunt] author = "Elastic" +description = """ +This hunt aggregates process execution via remote network logon by source address, account name and where the parent process is related to remote services such as WMI, WinRM, DCOM and remote PowerShell. This may indicate lateral movement via remote services. +""" integration = ["endpoint"] uuid = "e6e54717-2676-4785-a4a6-503577bfb0ea" name = "Execution via Remote Services by Client Address" language = "ES|QL" license = "Elastic License v2" notes = [ - "process.Ext.session_info.* is populated for Elastic Defend version 8.6 and above.", + "`process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+.", ] -mitre = [ "T1021", "T1021.003", "T1021.006", "T1047",] +mitre = [ "T1021", "T1021.003", "T1021.006", "T1047"] -query = ''' +query = [ +''' from logs-endpoint.events.process-* -| where @timestamp > now() - 7 day and host.os.family == "windows" and - event.category == "process" and event.action == "start" and +| where @timestamp > now() - 7 day and host.os.family == "windows" and + event.category == "process" and event.action == "start" and /* network logon type */ - process.Ext.session_info.logon_type == "Network" and + process.Ext.session_info.logon_type == "Network" and (process.parent.name .caseless in ("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") or (process.parent.name == "svchost.exe" and process.parent.args == "DcomLaunch")) | stats total = count(*), hosts = count_distinct(host.id) by process.Ext.session_info.client_address, user.name, process.parent.name /* sort by top source.ip and account */ | sort total desc -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml b/hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml index b01195d192b..f31fe0239e2 100644 --- a/hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/execution_via_startup_with_low_occurrence_frequency.toml @@ -1,22 +1,25 @@ [hunt] author = "Elastic" +description = """ +This hunt identifies programs started shortly after user logon and presence limited to a unique host. Run registry key and Startup folder cause programs to run each time that a user logs on and are often abused by malwares to maintain persistence on an endpoint. +""" integration = ["endpoint"] uuid = "a447df80-d3d5-48b3-a175-a864264ec487" -name = "Execution via Startup with low occurrence frequency" +name = "Startup Execution with Low Occurrence Frequency by Unique Host" language = "ES|QL" license = "Elastic License v2" notes = [ - "Items set to persist via Startup like Run key and Startup folder will be executed by Explorer.exe shortly after user logon (process.Ext.session_info.relative_logon_time help us to capture that time difference).", - "Pay close attention to unknown hashes, suspicious paths and lolbins.", + "Items set to persist via Startup such as Run keys and Startup folder will be executed by `Explorer.exe` shortly after user logon (`process.Ext.session_info.relative_logon_time` helps us to capture that time difference).", + "Special attention to unknown hashes, suspicious paths and LOLBins should be given.", ] mitre = [ "T1547", "T1547.001",] - -query = ''' +query = [ +''' from logs-endpoint.events.process-* -| where host.os.family == "windows" and event.category == "process" and event.action == "start" and +| where host.os.family == "windows" and event.category == "process" and event.action == "start" and /* programs started shortly after user logon like startup items */ - process.parent.executable.caseless == "c:\\windows\\explorer.exe" and process.Ext.session_info.relative_logon_time <= 100 and - not starts_with(process.executable, "C:\\Program Files") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\FileRepository\\") and + process.parent.executable.caseless == "c:\\windows\\explorer.exe" and process.Ext.session_info.relative_logon_time <= 100 and + not starts_with(process.executable, "C:\\Program Files") and not starts_with(process.executable, "C:\\Windows\\System32\\DriverStore\\FileRepository\\") and /* this hunt is scoped to unsigned or untrusted code-sig or Microsoft signed binaries to not miss lolbins */ (process.code_signature.exists == false or process.code_signature.trusted == false or starts_with(process.code_signature.subject_name, "Microsoft")) | keep process.executable, host.id, process.hash.sha256 @@ -24,4 +27,5 @@ from logs-endpoint.events.process-* | eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~' ]+\\""", "C:\\\\users\\\\user\\\\") | stats hosts = count_distinct(host.id) by process_path, process.hash.sha256 | where hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml new file mode 100644 index 00000000000..41aa38bf7d9 --- /dev/null +++ b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml @@ -0,0 +1,45 @@ +[hunt] +author = "Elastic" +description = """ +This hunt looks for unique process execution via Windows Management Instrumentation (WMI) by removing random patterns from `process.command_line` and aggregating execution by count of agents with the same command line to limit results to unique ones. +""" +integration = ["endpoint", "windows", "system"] +uuid = "b5efeb92-9b51-45b9-839f-be4cdc054ef4" +name = "Low Frequency of Process Execution via WMI by Unique Agent" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt contains three queries for Elastic Defend, Sysmon, and Windows Security event 4688."] +mitre = [ "T1047"] +query = [ +''' +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name == "WmiPrvSE.exe" and starts_with(process.code_signature.subject_name, "Microsoft") +| keep process.hash.sha256, host.id, process.name +| stats agents = count_distinct(host.id) by process.name +| where agents == 1 +''', +''' +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and + event.action in ("start", "Process creation", "created-process") and + to_lower(process.parent.name) == "wmiprvse.exe" +| keep process.command_line, host.id +| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| stats agents = count_distinct(host.id) by cmdline +| where agents == 1 +''', +''' +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day and + host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name.caseless == "wmiprvse.exe" and (process.code_signature.exists == false or process.code_signature.trusted == false) +| keep process.hash.sha256, host.id, process.name +| stats agents = count_distinct(host.id) by process.hash.sha256 +| where agents == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.toml b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.toml deleted file mode 100644 index 54b18862334..00000000000 --- a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent_elastic_defend_sysmon.toml +++ /dev/null @@ -1,21 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "b5efeb92-9b51-45b9-839f-be4cdc054ef4" -name = "Execution via Windows Management Instrumentation by occurrence frequency by Unique Agent - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones.", - "This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688.",] -mitre = [ "T1047",] - -query = ''' -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name.caseless == "wmiprvse.exe" and starts_with(process.code_signature.subject_name, "Microsoft") -| keep process.hash.sha256, host.id, process.name -| stats agents = count_distinct(host.id) by process.name -| where agents == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.toml b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.toml deleted file mode 100644 index d56344cf542..00000000000 --- a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon.toml +++ /dev/null @@ -1,22 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "958a9027-2c6f-4eb0-a9ca-d1116a3bec76" -name = "Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones.", - "This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688.", -] -mitre = [ "T1047",] - -query = ''' -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name.caseless == "wmiprvse.exe" and (process.code_signature.exists == false or process.code_signature.trusted == false) -| keep process.hash.sha256, host.id, process.name -| stats agents = count_distinct(host.id) by process.hash.sha256 -| where agents == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.toml b/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.toml deleted file mode 100644 index 928f28637d2..00000000000 --- a/hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_elastic_defend_sysmon_windows_security.toml +++ /dev/null @@ -1,25 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows", "system"] -uuid = "793d5655-d7d9-422a-ba9d-1fa75029265e" -name = "Execution via Windows Management Instrumentation by occurrence frequency - Elastic Defend - Sysmon - Windows Security" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for unique process execution via Windows Management Instrumentation by removing random patterns from process.command_line and aggregating execution by count of agents with same cmdline to limit result to unique ones.", - "This hunt is compatible with Sysmon, Elastic Defend and Windows Security event 4688.", -] -mitre = [ "T1047",] - -query = ''' -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* -| where @timestamp > now() - 7 day and - host.os.family == "windows" and event.category == "process" and - event.action in ("start", "Process creation", "created-process") and - process.parent.name.caseless == "wmiprvse.exe" -| keep process.command_line, host.id -| eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| stats agents = count_distinct(host.id) by cmdline -| where agents == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml b/hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml index 0602934bda3..edd5db88e09 100644 --- a/hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml @@ -1,24 +1,28 @@ [hunt] author = "Elastic" +description = """ +Aggregating by paths/hash, this hunt identifies rare instances where a program executes as a child process of the Tasks Scheduler service. This could be the result of persistence as a Windows Scheduled Task. +""" integration = ["endpoint", "windows"] uuid = "96d5afc8-1f25-4265-8a0e-9998091a2e1f" -name = "Execution via Windows Scheduled Task with low occurrence frequency" +name = "Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent" language = "ES|QL" license = "Elastic License v2" notes = [ - "Windows security event 4688 lacks process.parent.command_line needed for this hunt to identify the Schedule svchost instance.", - "Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation.", + "Windows security event 4688 lacks `process.parent.command_line` needed for this hunt to identify the Schedule `svchost` instance.", + "Unique `process.hash.sha256` and agent is not necessarily malicious, however this helps surface signals worth further investigation.", ] -mitre = [ "T1053", "T1053.005",] - -query = ''' +mitre = [ "T1053", "T1053.005"] +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and - event.action in ("start", "Process creation") and process.code_signature.trusted != true and +| where @timestamp > now(-) - 7 day +| where host.os.family == "windows" and event.category == "process" and + event.action in ("start", "Process creation") and process.code_signature.trusted != true and /* child process of the Tasks Schedule service */ process.parent.name == "svchost.exe" and ends_with(process.parent.command_line, "Schedule") | stats hosts = count_distinct(host.id) by process.hash.sha256, process.name /* unique hash observed in one unique agent */ | where hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml b/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml new file mode 100644 index 00000000000..bad8e38a795 --- /dev/null +++ b/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency.toml @@ -0,0 +1,39 @@ +[hunt] +author = "Elastic" +description = """ +This hunt looks for a low occurrence of process execution via the Windows Services Control Manager by unique agent. The Services Control Manager is responsible for starting, stopping, and interacting with system services. This could be a sign of persistence as a Windows service. +""" +integration = ["endpoint", "windows", "system"] +uuid = "858b7022-b587-4b95-afd6-8ce597bedce3" +name = "Low Occurence of Process Execution via Windows Services with Unique Agent" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt contains two queries for Elastic Defend and Windows Security event 4688.", + "Windows security event 4688 lacks code signature and hash information, hence the use of `process.executable` for aggregation.", + "Unique `process.hash.sha256` and agent is not necessarily malicious, this help surface ones worth further investigation.", + "Suspicious `process.executable` paths and LOLBins should be reviewed further.", +] +mitre = [ "T1543", "T1543.003"] +query = [ +''' +from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and + process.parent.name == "services.exe" and process.code_signature.trusted != true +| stats hosts = count_distinct(host.id) by process.hash.sha256, process.name + /* unique hash observed in one unique agent */ +| where hosts == 1 +''', +''' +from logs-system.security-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.code == "4688" and + event.action == "created-process" and process.parent.name == "services.exe" +| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| stats hosts = count_distinct(host.id) by process_path + /* unique path observed in one unique agent */ +| where hosts == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.toml b/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.toml deleted file mode 100644 index d9a1dae2780..00000000000 --- a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_elastic_defend_sysmon.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "858b7022-b587-4b95-afd6-8ce597bedce3" -name = "Execution via Windows Services with low occurrence frequency - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Windows security event 4688 lacks code signature and hash information, hence the use of process.executable for aggregation.", - "Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation.", - "Suspicious process.executable paths and lolbins should be reviewed further.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation") and - process.parent.name == "services.exe" and process.code_signature.trusted != true -| stats hosts = count_distinct(host.id) by process.hash.sha256, process.name - /* unique hash observed in one unique agent */ -| where hosts == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_windows_security.toml b/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_windows_security.toml deleted file mode 100644 index 621e174fc0a..00000000000 --- a/hunting/windows/queries/execution_via_windows_services_with_low_occurrence_frequency_windows_security.toml +++ /dev/null @@ -1,25 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["system"] -uuid = "5fdc9f73-c6a4-4ea4-8e16-347ed675e236" -name = "Execution via Windows Services with low occurrence frequency - Windows Security" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Windows security event 4688 lacks code signature and hash information, hence the use of process.executable for aggregation.", - "Unique process.hash.sha256 and agent is not necessarily malicious, this help surface ones worth further investigation.", - "Suspicious process.executable paths and lolbins should be reviewed further.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-system.security-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.code == "4688" and - event.action == "created-process" and process.parent.name == "services.exe" -| eval process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| stats hosts = count_distinct(host.id) by process_path - /* unique path observed in one unique agent */ -| where hosts == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml new file mode 100644 index 00000000000..44ae0c42423 --- /dev/null +++ b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process.toml @@ -0,0 +1,65 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies browser or svchost instances performing a considerable number of connections per hour over an extended period of hours to a specific destination address, limited to a unique host of the monitored agents. Browsers and svchost are both good targets for masquerading network traffic on the endpoint. +""" +integration = ["endpoint", "windows"] +uuid = "ed254a22-e7bb-4a36-9291-196b77762dd8" +name = "High Count of Network Connection Over Extended Period by Process" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt includes three queries for Elastic Defend and Sysmon data sources.", +] +mitre = [ "T1071"] +query = [ +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and process.name in ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "svchost.exe") and + /* excluding DNS */ + destination.port != 53 and + /* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp, host.id + /* calc total duration and the number of connections per hour */ +| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp), hosts= count_distinct(host.id), count_unique_pids = count_distinct(process.entity_id) by destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.name, duration_hours, destination.address, hosts, count_unique_pids, count_connections, number_of_con_per_hour + /* threshold is set to 120 connections per minute during 4 hours and limited to 1 agent and 1 pid, you can adjust this values to your hunting needs */ +| where number_of_con_per_hour >= 120 and duration_hours >= 4 and hosts == 1 and count_unique_pids == 1 +''', +''' +from logs-endpoint.events.network-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and +(process.code_signature.exists == false or process.code_signature.trusted != true or starts_with(process.executable, "C:\\Users\\Public\\")) and + /* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp + /* calc total duration , total MB out and the number of connections per hour */ +| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour + /* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ +| where duration_hours >= 1 and number_of_con_per_hour >= 120 +''', +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "network" and + network.direction == "egress" and (process.executable like "C:\\\\Windows\\\\System32*" or process.executable like "C:\\\\Windows\\\\SysWOW64\\\\*") and not user.id in ("S-1-5-19", "S-1-5-20") and +/* multiple Windows svchost services perform long term connection to MS ASN, can be covered in a dedicated hunt */ +not (process.name == "svchost.exe" and user.id == "S-1-5-18") and +/* excluding private IP ranges */ + not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") +| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp + /* calc total duration , total MB out and the number of connections per hour */ +| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name +| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) +| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour +/* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ +| where duration_hours >= 1 and number_of_con_per_hour >= 120 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.toml b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.toml deleted file mode 100644 index 75556ed2372..00000000000 --- a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network.toml +++ /dev/null @@ -1,28 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "76843f1f-404d-42b8-9c25-fcc14e270240" -name = "High count of network connection over extended period by process - Elastic Defend Network" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregate by process Id and destination ip the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process. Scoped for unsigned processes or ones running from suspicious paths, the Sysmon network events don't include process code signature information", -] -mitre = [ "T1071",] - -query = ''' -from logs-endpoint.events.network-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and -(process.code_signature.exists == false or process.code_signature.trusted != true or starts_with(process.executable, "C:\\Users\\Public\\")) and - /* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp - /* calc total duration , total MB out and the number of connections per hour */ -| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour - /* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ -| where duration_hours >= 1 and number_of_con_per_hour >= 120 -''' \ No newline at end of file diff --git a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.toml b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.toml deleted file mode 100644 index 9362fdb25e2..00000000000 --- a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_network_sysmon.toml +++ /dev/null @@ -1,28 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "ed254a22-e7bb-4a36-9291-196b77762dd8" -name = "High count of network connection over extended period by process - Elastic Defend Network - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt identify browser or svchost instances performing a considerable number of connections per hour over an extended period of hours to a specific destination address and this is limited to a unique host of the monitored agents. Browsers and svchost are both good targets for masquerading network traffic on the endpoint.", -] -mitre = [ "T1071",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and process.name in ("chrome.exe", "msedge.exe", "iexplore.exe", "firefox.exe", "svchost.exe") and - /* excluding DNS */ - destination.port != 53 and - /* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp, host.id - /* calc total duration and the number of connections per hour */ -| stats count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp), hosts= count_distinct(host.id), count_unique_pids = count_distinct(process.entity_id) by destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.name, duration_hours, destination.address, hosts, count_unique_pids, count_connections, number_of_con_per_hour - /* threshold is set to 120 connections per minute during 4 hours and limited to 1 agent and 1 pid, you can adjust this values to your hunting needs */ -| where number_of_con_per_hour >= 120 and duration_hours >= 4 and hosts == 1 and count_unique_pids == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.toml b/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.toml deleted file mode 100644 index 68aa9903d26..00000000000 --- a/hunting/windows/queries/high_count_of_network_connection_over_extended_period_by_process_elastic_defend_sysmon.toml +++ /dev/null @@ -1,29 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "7ee9a5a7-3ce1-47eb-b15a-1b148299fcf0" -name = "High count of network connection over extended period by process - Elastic Defend - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregate by process Id and destination ip the number of connections per hour over a period of time greater than a defined threshold. The process paths are scoped to Microsoft signed binaries often injected or used as a lolbin to masquerade malicious execution. This could be a sign of long term network activity to perform command and control from an injected process.", -] -mitre = [ "T1071",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and - network.direction == "egress" and (process.executable like "C:\\\\Windows\\\\System32*" or process.executable like "C:\\\\Windows\\\\SysWOW64\\\\*") and not user.id in ("S-1-5-19", "S-1-5-20") and -/* multiple Windows svchost services perform long term connection to MS ASN, can be covered in a dedicated hunt */ -not (process.name == "svchost.exe" and user.id == "S-1-5-18") and -/* excluding private IP ranges */ - not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") -| keep source.bytes, destination.address, process.name, process.entity_id, @timestamp - /* calc total duration , total MB out and the number of connections per hour */ -| stats total_bytes_out = sum(source.bytes), count_connections = count(*), start_time = min(@timestamp), end_time = max(@timestamp) by process.entity_id, destination.address, process.name -| eval dur = TO_DOUBLE(end_time)-TO_DOUBLE(start_time), duration_hours=TO_INT(dur/3600000), MB_out=TO_DOUBLE(total_bytes_out) / (1024*1024), number_of_con_per_hour = (count_connections / duration_hours) -| keep process.entity_id, process.name, duration_hours, destination.address, MB_out, count_connections, number_of_con_per_hour -/* threshold is set to 120 connections per minute , you can adjust it to your env/FP rate */ -| where duration_hours >= 1 and number_of_con_per_hour >= 120 -''' \ No newline at end of file diff --git a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml b/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml new file mode 100644 index 00000000000..7858e90607f --- /dev/null +++ b/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency.toml @@ -0,0 +1,48 @@ +[hunt] +author = "Elastic" +description = """ +This hunt returns the SHA256 hash and the `dll.path` of unsigned libraries loaded by svchost where the presence of unique path/hash is limited to a unique host. Adversaries may use Windows service DLLs to maintain persistence or run with System privileges. +""" +integration = ["endpoint", "windows"] +uuid = "e37fe0b9-1b70-4800-8989-58bac5a0a9bb" +name = "Libraries Loaded by svchost with Low Occurrence Frequency" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt includes two queries to cover both Sysmon and Elastic Defend data sources.", + "The hunt uses Elastic Defend library events for an extra optional condition `dll.Ext.relative_file_creation_time` to scope if for recently dropped DLLs.", + "The `count_dlls_per_folder` variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir).", + "Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like `%programfiles%` and `system32/syswow64`.", +] +mitre = [ "T1543", "T1543.003"] +query = [ +''' +from logs-endpoint.events.library-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "library" and event.action == "load" and + process.name == "svchost.exe" and (dll.code_signature.trusted == false or dll.code_signature.exists == false) and dll.hash.sha256 like "?*" and + (dll.Ext.relative_file_creation_time <= 900 or dll.Ext.relative_file_name_modify_time <= 900) +| keep dll.name, dll.path, dll.hash.sha256, host.id +| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) + /* paths normalization by removing random patterns */ +| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") +| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") +| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, dll.name, dll.hash.sha256 +| where hosts == 1 and count_dlls_per_folder == 1 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and + process.name == "svchost.exe" and file.code_signature.status != "Valid" and file.hash.sha256 like "?*" +| keep file.name, file.path, file.hash.sha256, host.id +| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) +/* paths normalization by removing random patterns */ +| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") +| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") +| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") +| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, file.name, file.hash.sha256 +| where hosts == 1 and count_dlls_per_folder == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.toml b/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.toml deleted file mode 100644 index 09a479e753d..00000000000 --- a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_elastic_defend.toml +++ /dev/null @@ -1,29 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "e37fe0b9-1b70-4800-8989-58bac5a0a9bb" -name = "Libraries loaded by svchost with low occurrence frequency - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "The hunt using Elastic Defend library events uses an extra optional condition dll.Ext.relative_file_creation_time to scope if for recently dropped DLLs.", - "The count_dlls_per_folder variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir).", - "Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like %programfiles% and system32/syswow64.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-endpoint.events.library-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "library" and event.action == "load" and - process.name == "svchost.exe" and (dll.code_signature.trusted == false or dll.code_signature.exists == false) and dll.hash.sha256 like "?*" and - (dll.Ext.relative_file_creation_time <= 900 or dll.Ext.relative_file_name_modify_time <= 900) -| keep dll.name, dll.path, dll.hash.sha256, host.id -| eval dll_folder = substring(dll.path, 1, length(dll.path) - (length(dll.name) + 1)) - /* paths normalization by removing random patterns */ -| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") -| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") -| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, dll.name, dll.hash.sha256 -| where hosts == 1 and count_dlls_per_folder == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.toml b/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.toml deleted file mode 100644 index 593e75175f1..00000000000 --- a/hunting/windows/queries/libraries_loaded_by_svchost_with_low_occurrence_frequency_sysmon.toml +++ /dev/null @@ -1,28 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "1ae6bfd7-34ce-4d7b-b956-f12d3797ac68" -name = "Libraries loaded by svchost with low occurrence frequency - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "The hunt using Elastic Defend library events uses an extra optional condition dll.Ext.relative_file_creation_time to scope if for recently dropped DLLs.", - "The count_dlls_per_folder variable filter is used to avoid cases where multiple DLLs with different names are loaded from same directory (often observed in FPs loaded multiple dependencies from same dir).", - "Pay close attention unknown hashes and suspicious paths, usually ServiceDLLs are located in trusted directories like %programfiles% and system32/syswow64.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action == "Image loaded" and - process.name == "svchost.exe" and file.code_signature.status != "Valid" and file.hash.sha256 like "?*" -| keep file.name, file.path, file.hash.sha256, host.id -| eval dll_folder = substring(file.path, 1, length(file.path) - (length(file.name) + 1)) -/* paths normalization by removing random patterns */ -| eval dll_path = replace(dll_folder, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "replaced") -| eval dll_path = replace(dll_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") -| eval dll_path = replace(dll_path, """SoftwareDistribution\\Download\\[a-z0-9]+""", """SoftwareDistribution\\Download\\""") -| stats hosts = count_distinct(host.id), count_dlls_per_folder = count(dll_path) by dll_path, file.name, file.hash.sha256 -| where hosts == 1 and count_dlls_per_folder == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml b/hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml index ae4da0641ce..fe1709bbe9b 100644 --- a/hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml @@ -1,23 +1,27 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for Microsoft Office child processes with low occurrence frequency. This could be a normal rare behavior as well as potential execution via a malicious document. Adversaries may use Microsoft Office applications to execute malicious code, such as macros, scripts, or other payloads. +""" integration = ["endpoint", "windows", "system"] uuid = "74b2e54b-7002-4201-83d6-7fd9bd5dcf0f" -name = "Microsoft Office Child Processes with low occurrence frequency" +name = "Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent" language = "ES|QL" license = "Elastic License v2" notes = [ - "Certain processes like WerFault.exe, dw20.exe and dwwin.exe are often related to application crash.", + "Certain processes like `WerFault.exe`, `dw20.exe` and `dwwin.exe` are often related to application crash.", "Closer attention should be attributed to lolbins and unsigned executables (Windows 4688 is not capturing process code signature information).", ] -mitre = [ "T1566", "T1566.001",] - -query = ''' +mitre = [ "T1566", "T1566.001"] +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* -| where host.os.family == "windows" and @timestamp > NOW() - 15 day and - event.category == "process" and event.action in ("start", "Process creation", "created-process") and +| where host.os.family == "windows" and @timestamp > NOW() - 15 day and + event.category == "process" and event.action in ("start", "Process creation", "created-process") and process.parent.name.caseless in ("winword.exe", "excel.exe", "powerpnt.exe") and not starts_with(process.executable, "C:\\Program Files") // normalize user home profile paths | eval process_path = replace(process.executable.caseless, """[c]:\\[u][s][e][r][s]\\[a-zA-Z0-9\.\-\_\$]+\\""", "c:\\\\users\\\\user\\\\") -| stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name +| stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name | where occurrences == 1 and agents == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml b/hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml index 9275697792e..5f80401f4d2 100644 --- a/hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml +++ b/hunting/windows/queries/network_discovery_via_sensitive_ports_by_unusual_process.toml @@ -1,8 +1,11 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for either processes connecting to multiple sensitive TCP ports (SMB, RDP, LDAP, Kerberos and ADWS), a high number of SMB/RDP connections to unique destinations or the same process connecting to both RDP and SMB (should be rare). +""" integration = ["endpoint", "windows"] uuid = "e0acab7d-30bd-4be0-9682-5c3457bbeb4f" -name = "Network Discovery via sensitive ports by unusual process" +name = "Network Discovery via Sensitive Ports by Unusual Process" language = "ES|QL" license = "Elastic License v2" notes = [ @@ -10,13 +13,13 @@ notes = [ "You can add more sensitive ports to the list like FTP, SSH and others.", "Elastic Network events include process code signature information, this can be added to filter out signed third party false positives.", ] -mitre = [ "T1021", "T1021.002", "T1021.001",] - -query = ''' -from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* +mitre = [ "T1021", "T1021.002", "T1021.001"] +query = [ +''' +from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and - network.transport == "tcp"and destination.port in (3389, 445, 389, 9389, 88, 5985, 5986, 22) and source.port >= 49152 and +| where host.os.family == "windows" and event.category == "network" and network.direction == "egress" and + network.transport == "tcp"and destination.port in (3389, 445, 389, 9389, 88, 5985, 5986, 22) and source.port >= 49152 and process.pid != 4 | keep process.executable, destination.port, destination.ip, process.entity_id /* network events with SMB or RDP as a target */ @@ -24,4 +27,5 @@ from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* /* unique count by destination.port, number of distinct SMB and RDP destinations */ | stats count_unique_ports = count_distinct(destination.port), count_smb_dst = count_distinct(smb_dip), count_rdp_dst = count_distinct(rdp_dip) by process.entity_id, process.executable | where count_unique_ports >= 3 or count_rdp_dst >= 10 or count_smb_dst >= 10 or (count_rdp_dst >= 1 and count_rdp_dst >= 1) -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml b/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml index 243b98600ed..39a2bc1d874 100644 --- a/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml +++ b/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml @@ -1,21 +1,33 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for a high number of executable file transfers via the SMB protocol by the same user or agent to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. +""" integration = ["endpoint"] uuid = "3e66fc1a-2ea0-43a6-ba51-0280c693d152" -name = "PE File Transfer via SMB_Admin Shares by Agent" +name = "PE File Transfer via SMB_Admin Shares by Agent or User" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt looks for high number of executable file transfer via the SMB protocol by the same user.name to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares.", - "Further investigation can done pivoting by host.id and user name.", + "Further investigation can done pivoting by `host.id` and `user.name`.", ] -mitre = [ "T1021", "T1021.002",] - -query = ''' +mitre = [ "T1021", "T1021.002"] +query = [ +''' from logs-endpoint.events.file-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and - starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and + starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) | stats agents = count_distinct(host.id), total = count(*) by user.name | where agents == 1 and total <= 3 -''' \ No newline at end of file +''', +''' +from logs-endpoint.events.file-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and + starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) +| stats agents = count_distinct(host.id), total = count(*) by user.name + /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ +| where agents >= 10 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_user.toml b/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_user.toml deleted file mode 100644 index c55b0243f9f..00000000000 --- a/hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_user.toml +++ /dev/null @@ -1,22 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "ef9def35-0671-4599-8a18-5a1b833ef4c4" -name = "PE File Transfer via SMB_Admin Shares by User" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt looks for high number of executable file transfer via the SMB protocol by the same user.name to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares.", - "PE File Transfer via SMB/Admin Shares by User", -] -mitre = [ "T1021", "T1021.002",] - -query = ''' -from logs-endpoint.events.file-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and - starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) -| stats agents = count_distinct(host.id), total = count(*) by user.name - /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ -| where agents >= 10 -''' \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml b/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml new file mode 100644 index 00000000000..28cdf428567 --- /dev/null +++ b/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency.toml @@ -0,0 +1,45 @@ +[hunt] +author = "Elastic" +description = """ +Leveraging frequency based analysis and random values normalization, this hunt identifies instances where a program adds a persistence entry with rare values or are imited to unique hosts. Run registry key cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint. +""" +integration = ["endpoint", "windows"] +uuid = "1078e906-0485-482e-bcf3-7ee939e07020" +name = "Persistence via Run Key with Low Occurrence Frequency" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt includes two queries to cover both Sysmon and Elastic Defend data sources.", + "Sysmon registry events do not populate process code signature information (hence the separation of the queries).", + "Suspicious paths and LOLBins in the `registry.data.strings` value should be reviewed further.", +] +mitre = [ "T1547", "T1547.001"] +query = [ +''' +from logs-endpoint.events.registry-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action == "modification" and + (process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft")) and + ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" +| keep registry.key, registry.data.strings, process.name, host.id + /* Paths normalization in registry.data.strings to ease aggregation */ +| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data +| where hosts == 1 and cc == 1 +''', +''' +from logs-windows.sysmon_operational-* +| where @timestamp > NOW() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action == "RegistryEvent (Value Set)" and + ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" +| keep registry.key, registry.data.strings, process.name, host.id + /* Paths normalization in registry.data.strings to ease aggregation */ +| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data +| where hosts == 1 and cc == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.toml b/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.toml deleted file mode 100644 index c0a26f9a9bf..00000000000 --- a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_elastic_defend.toml +++ /dev/null @@ -1,27 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint"] -uuid = "1078e906-0485-482e-bcf3-7ee939e07020" -name = "Persistence via Run Key with low occurrence frequency - Elastic Defend" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Sysmon registry event don't populate process code signature information (hence the separation of the queries).", - "Suspicious paths and lolbins in the registry.data.strings value should be reviewed further.", -] -mitre = [ "T1547", "T1547.001",] - -query = ''' -from logs-endpoint.events.registry-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action == "modification" and - (process.code_signature.exists == false or starts_with(process.code_signature.subject_name, "Microsoft")) and - ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" -| keep registry.key, registry.data.strings, process.name, host.id - /* Paths normalization in registry.data.strings to ease aggregation */ -| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_sysmon.toml b/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_sysmon.toml deleted file mode 100644 index 1ec10dc553b..00000000000 --- a/hunting/windows/queries/persistence_via_run_key_with_low_occurrence_frequency_sysmon.toml +++ /dev/null @@ -1,26 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["windows"] -uuid = "cb2d8acc-123a-4578-bd33-7004c2be9843" -name = "Persistence via Run Key with low occurrence frequency - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "Sysmon registry event don't populate process code signature information (hence the separation of the queries).", - "Suspicious paths and lolbins in the registry.data.strings value should be reviewed further.", -] -mitre = [ "T1547", "T1547.001",] - -query = ''' -from logs-windows.sysmon_operational-* -| where @timestamp > NOW() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action == "RegistryEvent (Value Set)" and - ends_with(registry.key,"\\Microsoft\\Windows\\CurrentVersion\\Run") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.{1,2}[c-fC-F]:\\WINDOWS\\System32\\DriverStore\\FileRepository\\.+)""" -| keep registry.key, registry.data.strings, process.name, host.id - /* Paths normalization in registry.data.strings to ease aggregation */ -| eval registry_data = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval registry_data = replace(registry_data, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by process.name, registry_data -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml b/hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml index a1019041f57..65e1ed4704f 100644 --- a/hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/persistence_via_startup_with_low_occurrence_frequency.toml @@ -1,21 +1,22 @@ [hunt] author = "Elastic" +description = "Leveraging frequency based analysis and path normalization, this hunt identifies rare instances where a program adds a Startup persistence via file creation. Startup entries cause programs to run each time that a user logs on and are often abused by adversaries to maintain persistence on an endpoint." integration = ["endpoint", "windows"] uuid = "9d8c79fd-0006-4988-8aaa-d5f9b9a7df8e" -name = "Persistence via Startup with low occurrence frequency" +name = "Persistence via Startup with Low Occurrence Frequency by Unique Host" language = "ES|QL" license = "Elastic License v2" notes = [ - "Elastic Defend file event captures the process.code_signature information, this can be added to the hunt to limit to unsigned and Microsoft signed programs.", - "Unique file.name and limited to 1 agent is not necessarily malicious, this help surface ones worth further investigation.", - "Suspicious process.executable paths and lolbins should be reviewed further.", + "Elastic Defend file event captures the `process.code_signature` information, this can be added to the hunt to limit to unsigned and Microsoft signed programs.", + "Unique `file.name` and limited to one agent is not necessarily malicious, however helps surface ones worth further investigation.", + "Suspicious `process.executable` paths and LOLBins should be reviewed further.", ] -mitre = [ "T1547", "T1547.001",] - -query = ''' +mitre = [ "T1547", "T1547.001"] +query = [ +''' from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and +| where host.os.family == "windows" and event.category == "file" and event.action in ("creation", "FileCreate") and file.path rlike """(C:\\Users\\.+\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.+*|C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\.+)""" | keep process.executable, host.id, file.name /* Paths normalization in registry.data.strings to ease aggregation */ @@ -23,4 +24,5 @@ from logs-endpoint.events.file-*, logs-windows.sysmon_operational-default-* | eval process_path = replace(process_path, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") | stats number_hosts = count_distinct(host.id) by process_path, file.name | where number_hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml b/hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml index a11fc9dea5c..2e6cb02440d 100644 --- a/hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml +++ b/hunting/windows/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml @@ -1,24 +1,27 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host. +""" integration = ["endpoint"] uuid = "a7dcd1a1-2860-491e-8802-31169a607167" -name = "Persistence via Suspicious Launch Agent or Launch Daemon with low occurrence" +name = "Low Occurrence of Suspicious Launch Agent or Launch Daemon" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host.", - "Further investigation can done pivoting by Persistence.name and args.", + "Further investigation can done pivoting by `Persistence.name` and `args`.", ] -mitre = [ "T1547", "T1547.011", "T1543", "T1543.001", "T1543.004",] - -query = ''' +mitre = [ "T1547", "T1547.011", "T1543", "T1543.001", "T1543.004"] +query = [ +''' from logs-endpoint.events.file-* | where @timestamp > now() - 7 day -| where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and +| where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and (Persistence.runatload == true or Persistence.keepalive == true) and process.executable is not null | eval args = MV_CONCAT(Persistence.args, ",") /* normalizing users home profile */ | eval args = replace(args, """/Users/[a-zA-Z0-9ñ\.\-\_\$~ ]+/""", "/Users/user/") | stats agents = count_distinct(host.id), total = count(*) by process.name, Persistence.name, args | where starts_with(args, "/") and agents == 1 and total == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml b/hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml index 972a4437c0c..48f192b0f2b 100644 --- a/hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml +++ b/hunting/windows/queries/potential_exfiltration_by_process_total_egress_bytes.toml @@ -1,26 +1,31 @@ [hunt] author = "Elastic" +description = """ +Using aggregation and the ES|QL `SUM` function, this hunt identifies processes that performed egress connections with total bytes greater or equal to a defined maximum threshold. This may indicate exfiltration or long term command and control activity. +""" integration = ["endpoint"] uuid = "977d77f9-86e0-4df6-bdc7-aed87c048290" -name = "Potential Exfiltration by process total egress bytes" +name = "Egress Network Connections with Total Bytes Greater than Threshold" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt is not compatible with Sysmon event 3 (Network connection) and Windows security event 5156 as both don't log source.bytes.", - "The use of host.os.family is to optimise the query and avoid timeout. You can duplicate the same query for other platforms (linux, macos etc.)", + "This hunt is not compatible with Sysmon event 3 (Network connection) and Windows security event 5156 as both don't log `source.bytes`.", + "The use of `host.os.family` is to optimise the query and avoid timeout. You can duplicate the same query for other platforms (linux, macos etc.)", "Based on limited testing it's recommended to set the query time window to 8 hours.", - "Pivoting by process.entity_id will allow further investigation (parent process, hash, child processes, other network events etc.).", + "Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.).", ] mitre = [ "T1071",] -query = ''' +query = [ +''' from logs-endpoint.events.network-* -| where @timestamp > now() - 8 hour -| where host.os.family == "windows" and event.category == "network" and - event.action == "disconnect_received" and +| where @timestamp > now() - 8 hour +| where host.os.family == "windows" and event.category == "network" and + event.action == "disconnect_received" and not CIDR_MATCH(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1","FE80::/10", "FF00::/8") | keep source.bytes, destination.address, process.executable, process.entity_id | stats total_bytes_out = sum(source.bytes) by process.entity_id, destination.address, process.executable /* more than 1GB out by same process.pid in 8 hours */ | where total_bytes_out >= 1073741824 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml b/hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml index 0f970eb8958..c266a04ebf4 100644 --- a/hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml +++ b/hunting/windows/queries/rundll32_execution_aggregated_by_cmdline.toml @@ -1,25 +1,29 @@ [hunt] author = "Elastic" +description = """ +This hunt aggregate Rundll32 execution by normalized `process.command_line` and returns instances that are unique by frequency. Rundll32 is one of the most abused binaries to proxy execution of malicious commands and modules. +""" integration = ["endpoint", "windows", "system"] uuid = "30f37cd2-c1d8-4554-bb4a-ed76de9e6857" -name = "Rundll32 execution aggregated by cmdline" +name = "Rundll32 Execution Aggregated by Command Line" language = "ES|QL" license = "Elastic License v2" notes = [ "Execution of DLLs from suspicious paths or with suspicious export function names or from suspicious parent should be further reviewed.", - "Parents such as svchost, explorer.exe, wmiprvse.exe, winword.exe and others should be carefully reviewed.", + "Parents such as svchost, `explorer.exe`, `wmiprvse.exe`, `winword.exe` and others should be carefully reviewed.", ] -mitre = [ "T1127", "T1218", "T1218.011",] - -query = ''' +mitre = [ "T1127", "T1218", "T1218.011"] +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.name.caseless == "rundll32.exe" and +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and + process.name.caseless == "rundll32.exe" and not process.command_line rlike """.*(zzzzInvokeManagedCustomActionOutOfProc|GeneralTel.dll,RunInUserCxt|ShOpenVerbApplication|davclnt.dll,DavSetCookie|FileProtocolHandler|EDGEHTML.dll|FirewallControlPanel.dll,ShowNotificationDialog|printui.dll,PrintUIEntryDPIAware|Program Files|SHCreateLocalServerRunDll|ImageView_Fullscreen|StatusMonitorEntryPoint|Control_RunDLL|HotPlugSafeRemovalDriveNotification|AppxDeploymentClient.dll|acproxy.dll,PerformAutochkOperations|CapabilityAccessManagerDoStoreMaintenance|dfshim.dll|display.dll,ShowAdapterSettings|ForceProxyDetectionOnNextRun|PfSvWsSwapAssessmentTask|acmigration.dll,ApplyMigrationShims|LenovoBatteryGaugePackage.dll|-localserver|DriverStore|CnmDxPEntryPoint|DeferredDelete|DeviceProperties_RunDLL|AppxDeploymentClient.dll|spool\\DRIVERS|printui.dll,PrintUIEntry|DfdGetDefaultPolicyAndSMART|cryptext.dll,CryptExt|WininetPlugin.dll|ClearMyTracksByProcess|SusRunTask|OpenURL|CleanupTemporaryState).*""" | keep process.parent.name, process.command_line, host.id | eval cmdline = replace(process.command_line, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") | eval cmdline = replace(cmdline, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") | stats hosts =count_distinct(host.id), total = count() by cmdline, process.parent.name | where hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml b/hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml index 5cea1a74587..f473169b0dd 100644 --- a/hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml +++ b/hunting/windows/queries/scheduled_task_creation_by_action_via_registry.toml @@ -1,17 +1,19 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for scheduled tasks creation by action using registry events. Scheduled tasks actions are saved under the TaskCache registry key in base64 encoded blob. Malware often abuse LOLBins to proxy execution or run executables from unusual paths, you can add more patterns to the query. +""" integration = ["endpoint"] uuid = "344c0690-ebc3-4794-b123-272a5c09c57b" -name = "Scheduled tasks creation by action via registry" +name = "Scheduled tasks Creation by Action via Registry" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt aggregate created scheduled tasks by action using registry events.", - "Malware often abuse lolbins to proxy execution or run executables from unusual paths, you can add more patterns to the query.", + "Malware often abuse LOLBins to proxy execution or run executables from unusual paths, you can add more patterns to the query.", ] mitre = [ "T1053", "T1053.005"] - -query = ''' +query = [ +''' from logs-endpoint.events.registry-* | where @timestamp > now() - 7 day | where host.os.type == "windows" and event.category == "registry" and event.action == "modification" and @@ -25,3 +27,4 @@ from logs-endpoint.events.registry-* /* helps reduce result to instances limited to one agent */ | where count_agents == 1 ''' +] diff --git a/hunting/windows/queries/scheduled_tasks_creation_with_low_occurrence_frequency.toml b/hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml similarity index 70% rename from hunting/windows/queries/scheduled_tasks_creation_with_low_occurrence_frequency.toml rename to hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml index e6fc2b2887b..8d236b4c9be 100644 --- a/hunting/windows/queries/scheduled_tasks_creation_with_low_occurrence_frequency.toml +++ b/hunting/windows/queries/scheduled_tasks_creation_for_unique_hosts_by_task_command.toml @@ -1,30 +1,34 @@ [hunt] author = "Elastic" +description = """ +Using aggregation and strings extraction, this hunt identifies instances where a scheduled task is created and set to run a command unique to a specific host. This could be the result of persistence as a Windows Scheduled Task. +""" integration = ["system"] uuid = "75804319-122c-4bdc-976e-d6355bca0d78" -name = "Scheduled tasks creation with low occurrence frequency" +name = "Scheduled Tasks Creation for Unique Hosts by Task Command" language = "ES|QL" license = "Elastic License v2" notes = [ "This hunt returns the aggregation of created tasks by task name, command to execute and number of hosts where this task is present.", - "Close attention should be paid to suspicious paths like C:\\Users\\Public and C:\\ProgramData\\ as well as lolbins.", + "Close attention should be paid to suspicious paths like `C:\\Users\\Public and C:\\ProgramData\\` as well as LOLBins.", ] -mitre = [ "T1053", "T1053.005",] - -query = ''' +mitre = [ "T1053", "T1053.005"] +query = [ +''' from logs-system.security-default-* | where @timestamp > now() - 7 day | where host.os.family == "windows" and event.code == "4698" and event.action == "scheduled-task-created" /* parsing unstructured data from winlog message to extract a scheduled task Exec command */ -| grok message "(?.+)" | eval Command = replace(Command, "(|)", "") +| grok message "(?.+)" | eval Command = replace(Command, "(|)", "") | where Command is not null /* normalise task name by removing usersid and uuid string patterns */ -| eval TaskName = replace(winlog.event_data.TaskName, """((-S-1-5-.*)|\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})""", "") +| eval TaskName = replace(winlog.event_data.TaskName, """((-S-1-5-.*)|\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\})""", "") /* normalise task name by removing random patterns in a file path */ | eval Task_Command = replace(Command, """(ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") /* normalize user home profile path */ | eval Task_Command = replace(Task_Command, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$~]+\\""", "C:\\\\users\\\\user\\\\") | where Task_Command like "?*" and not starts_with(Task_Command, "C:\\Program Files") and not starts_with(Task_Command, "\"C:\\Program Files") -| stats tasks_count = count(*), hosts_count = count_distinct(host.id) by Task_Command, TaskName +| stats tasks_count = count(*), hosts_count = count_distinct(host.id) by Task_Command, TaskName | where hosts_count == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml b/hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml index 4f6957b3709..88e89486a6e 100644 --- a/hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml +++ b/hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml @@ -1,16 +1,20 @@ [hunt] author = "Elastic" +description = """ +This hunt identifies base64 encoded powershell commands in process start events and filters ones with suspicious keywords like downloaders and evasion related commands. +""" integration = ["endpoint", "windows", "system"] uuid = "8bf800de-b3a2-4b36-9484-7d9dae2a1992" name = "Suspicious Base64 Encoded Powershell Command" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt decode base64 obfuscated powershell commands in process start events and filter ones with suspicious keywords like downloaders and evasion related commands.", + "This hunt can be expanded to include more evasion techniques and downloaders.", + "Pivoting by `agent.id` can provide more context on the affected hosts." ] mitre = [ "T1059", "T1059.001", "T1027", "T1027.010"] - -query = ''' +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where host.os.type == "windows" and event.category == "process" and event.type == "start" and TO_LOWER(process.name) == "powershell.exe" and process.command_line rlike ".+ -(e|E).*" | keep agent.id, process.command_line @@ -23,3 +27,4 @@ from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-sys | where decoded_base64_cmdline rlike """.*(http|webclient|download|mppreference|sockets|bxor|.replace|reflection|assembly|load|bits|start-proc|iwr|frombase64).*""" | keep agent.id, process.command_line, decoded_base64_cmdline ''' +] diff --git a/hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml b/hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml index 9cbdc33cd53..344f9675a43 100644 --- a/hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml +++ b/hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml @@ -1,20 +1,23 @@ [hunt] author = "Elastic" +description = """ +Leveraging aggregation by process executable entities, this hunt identifies identifies a high number of DNS TXT record queries from same process. +Adversaries may leverage DNS TXT queries to stage malicious content or exfiltrate data. +""" integration = ["endpoint", "windows"] uuid = "0b7343f7-2d16-43c7-af28-9d1f012b1093" -name = "Suspicious DNS TXT Record lookups by process" +name = "Suspicious DNS TXT Record Lookups by Process" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt returns a list of processes unique pids and executable path that performs a high number of DNS TXT lookups.", - "Pivoting by process.entity_id will allow further investigation (parent process, hash, child processes, other network events etc.).", + "This hunt returns a list of processes unique pids and executable paths that performs a high number of DNS TXT lookups.", + "Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.).", ] -mitre = [ "T1071", "T1071.004",] - +mitre = [ "T1071", "T1071.004"] query = ''' from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* -| where host.os.family == "windows" and event.category == "network" and - event.action in ("lookup_requested", "DNSEvent (DNS query)") and +| where host.os.family == "windows" and event.category == "network" and + event.action in ("lookup_requested", "DNSEvent (DNS query)") and (dns.question.type == "TXT" or dns.answers.type == "TXT") and process.executable != "C:\\Windows\\system32\\svchost.exe" | keep process.executable, process.entity_id | stats occurrences = count(*) by process.entity_id, process.executable diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml new file mode 100644 index 00000000000..8bc916f296f --- /dev/null +++ b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename.toml @@ -0,0 +1,64 @@ +[hunt] +author = "Elastic" +description = """ +This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the ES|QL `Replace` command we can also further remove random patterns to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and LOLBins. +""" +integration = ["endpoint", "windows", "system"] +uuid = "ebf79207-16dc-44f8-b10c-317d4a034bad" +name = "Unique Windows Services Creation by Service File Name" +language = "ES|QL" +license = "Elastic License v2" +notes = [ + "This hunt also identifies services registry modification by unusual process based on number of hosts and occurrences history.", + "Windows event IDs 4697 and 7045 are used to identify service creation and modification.", +] +mitre = [ "T1543", "T1543.003"] + +query = [ +''' +from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and + registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and + process.executable != "C:\\Windows\\System32\\services.exe" +| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats hosts = count_distinct(host.id), occurrences = count(*) by process_path +/* unique process.executable found in one agent */ +| where hosts == 1 and occurrences == 1 +''', +''' +from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and + registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and + not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName + /* unique ServiceFileName observed in 1 host*/ +| where hosts == 1 and cc == 1 +''', +''' +from logs-system.security-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.category == "configuration" and event.code == "4697" and + not winlog.event_data.ServiceFileName rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(winlog.event_data.ServiceFileName, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +''', +''' +from logs-system.system-* +| where @timestamp > now() - 7 day +| where host.os.family == "windows" and event.code == "7045" and + not winlog.event_data.ImagePath rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" +| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") +| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") +| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") +| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName +| where hosts == 1 and cc == 1 +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.toml deleted file mode 100644 index e7f69e6e181..00000000000 --- a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_registry_sysmon.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "ebf79207-16dc-44f8-b10c-317d4a034bad" -name = "Unique Windows Services Creation by ServiceFileName - Elastic Defend Registry - Sysmon" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt identify services registry modification by unusual process based on number of hosts and occurrences history.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and - registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and - process.executable != "C:\\Windows\\System32\\services.exe" -| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats hosts = count_distinct(host.id), occurrences = count(*) by process_path -/* unique process.executable found in one agent */ -| where hosts == 1 and occurrences == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.toml deleted file mode 100644 index f13c7927f2b..00000000000 --- a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_elastic_defend_sysmon_registry.toml +++ /dev/null @@ -1,25 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["endpoint", "windows"] -uuid = "688dc79d-f52a-49ad-829d-89343e68b0f7" -name = "Unique Windows Services Creation by ServiceFileName - Elastic Defend - Sysmon Registry" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-endpoint.events.registry-*, logs-windows.sysmon_operational-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "registry" and event.action in ("modification", "RegistryEvent (Value Set)") and - registry.value in ("ServiceDLL", "ImagePath") and starts_with(registry.path, "HKLM\\SYSTEM\\") and - not registry.data.strings rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(registry.data.strings, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName - /* unique ServiceFileName observed in 1 host*/ -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_4697.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_4697.toml deleted file mode 100644 index 87d45175a2d..00000000000 --- a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_4697.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["system"] -uuid = "b6b14385-4ed2-44af-98fe-dad5b1581174" -name = "Unique Windows Services Creation by ServiceFileName - Windows Security 4697" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-system.security-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "configuration" and event.code == "4697" and - not winlog.event_data.ServiceFileName rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(winlog.event_data.ServiceFileName, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_7045.toml b/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_7045.toml deleted file mode 100644 index 3be2538e9c0..00000000000 --- a/hunting/windows/queries/unique_windows_services_creation_by_servicefilename_windows_security_7045.toml +++ /dev/null @@ -1,23 +0,0 @@ -[hunt] -author = "Elastic" -integration = ["system"] -uuid = "1749a45b-98f0-4b27-8c2f-2287230e52b7" -name = "Unique Windows Services Creation by ServiceFileName - Windows Security 7045" -language = "ES|QL" -license = "Elastic License v2" -notes = [ - "This hunt aggregates created Windows services by service file name and distribution limited to unique hosts. Using the Replace command we can also further remove random pattern to reduce results to interesting events. More investigation can be conducted on instance that looks suspicious based on service file path, names and lolbins.", -] -mitre = [ "T1543", "T1543.003",] - -query = ''' -from logs-system.system-* -| where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.code == "7045" and - not winlog.event_data.ImagePath rlike """(.{1,2}[c-fC-F]:\\Program Files.+)|([c-fC-F]:\\Program Files.+)|(.*\\System32\\DriverStore\\FileRepository\\.+)""" -| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "") -| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_") -| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") -| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName -| where hosts == 1 and cc == 1 -''' \ No newline at end of file diff --git a/hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml b/hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml index 2e0ba4e330c..a4d0d9a8c56 100644 --- a/hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml +++ b/hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml @@ -1,23 +1,27 @@ [hunt] author = "Elastic" +description = """ +This hunt looks for unusual Microsoft native processes spawning `cmd.exe`, `powershell.exe` or `conhost.exe` and limited to a unique host. This could be normal rare behavior as well as an interactive shell activity from an injected parent process to execute system commands. +""" integration = ["endpoint", "windows", "system"] uuid = "de929347-c04a-4a94-8be2-cbe87b25bb25" -name = "Windows Command and Scripting Interpreter from unusual parent" +name = "Windows Command and Scripting Interpreter from Unusual Parent Process" language = "ES|QL" license = "Elastic License v2" notes = [ - "Pivoting can be done via process.parent.name.", - "Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn cmd.exe powershell.exe or conhost.exe, if so it's highly likely malicious.", + "Further pivoting can be done via `process.parent.name`.", + "Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn `cmd.exe`, `powershell.exe` or `conhost.exe`, if so it's highly likely malicious.", ] -mitre = [ "T1059", "T1059.001", "T1059.003",] - -query = ''' +mitre = [ "T1059", "T1059.001", "T1059.003"] +query = [ +''' from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and - process.name.caseless in ("cmd.exe", "powershell.exe", "conhost.exe") and +| where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and + process.name.caseless in ("cmd.exe", "powershell.exe", "conhost.exe") and (starts_with(process.parent.executable.caseless, "c:\\windows\\system32") or starts_with(process.parent.executable.caseless, "c:\\windows\\syswow64")) | keep process.name, process.parent.name, host.id | stats hosts = count_distinct(host.id), cc = count(*) by process.parent.name | where cc <= 10 and hosts == 1 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/hunting/windows/queries/windows_logon_activity_by_source_ip.toml b/hunting/windows/queries/windows_logon_activity_by_source_ip.toml index 60049f10080..4547241284f 100644 --- a/hunting/windows/queries/windows_logon_activity_by_source_ip.toml +++ b/hunting/windows/queries/windows_logon_activity_by_source_ip.toml @@ -1,26 +1,29 @@ [hunt] author = "Elastic" +description = """ +This hunt returns a summary of network logon activity by `source.ip` using Windows event IDs 4624 and 4625. The higher the number of failures, low success and multiple accounts the more suspicious the behavior is. +""" integration = ["system"] uuid = "7bdea198-eb09-4eca-ae3d-bfc3b52c89a9" -name = "Windows logon activity by source IP" +name = "Windows Logon Activity by Source IP" language = "ES|QL" license = "Elastic License v2" notes = [ - "This hunt returns the total number of failed logons, successful ones and the number of unique account names grouped by source.ip.", - "Pay close attention to IP addresses source of a high number of failures associated with low success attempts and high number of used accounts.", + "Pay close attention to IP address sources with a high number of failed connections associated with low success attempts and high number of user accounts.", ] -mitre = [ "T1110", "T1110.001", "T1110.003",] - -query = ''' +mitre = [ "T1110", "T1110.001", "T1110.003"] +query = [ +''' from logs-system.security-* | where @timestamp > now() - 7 day -| where host.os.family == "windows" and - event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and - source.ip is not null and - /* noisy failure status codes often associated to authentication misconfiguration */ +| where host.os.family == "windows" and + event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and + source.ip is not null and + /* noisy failure status codes often associated to authentication misconfiguration */ not (event.action == "logon-failed" and winlog.event_data.Status in ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")) | eval failed = case(event.action == "logon-failed", source.ip, null), success = case(event.action == "logged-in", source.ip, null) | stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(winlog.event_data.TargetUserName) by source.ip /* below threshold should be adjusted to your env logon patterns */ | where count_failed >= 100 and count_success <= 10 and count_user >= 20 -''' \ No newline at end of file +''' +] \ No newline at end of file diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 6019f522c45..0a5ee5c15a7 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/14" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.agent_id_status:* +event.agent_id_status:* and not tags:forwarded ''' diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 0bbd44d8537..1bc428d0f15 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/19" [rule] author = ["Elastic"] @@ -15,10 +15,10 @@ future. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] -language = "lucene" +language = "eql" license = "Elastic License v2" max_signals = 33 -name = "Setuid / Setgid Bit Set via chmod" +name = "SUID/SGID Bit Set" risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" @@ -31,54 +31,41 @@ tags = [ "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" -type = "query" - +type = "eql" query = ''' -event.category:process AND event.type:(start OR process_started) AND - process.name:chmod AND process.args:("+s" OR "u+s" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND - NOT process.args: - ( - /.*\/Applications\/VirtualBox.app\/.+/ OR - /\/usr\/local\/lib\/python.+/ OR - /\/var\/folders\/.+\/FP.*nstallHelper/ OR - /\/Library\/Filesystems\/.+/ OR - /\/usr\/lib\/virtualbox\/.+/ OR - /\/Library\/Application.*/ OR - "/run/postgresql" OR - "/var/crash" OR - "/var/run/postgresql" OR - /\/usr\/bin\/.+/ OR /\/usr\/local\/share\/.+/ OR - /\/Applications\/.+/ OR /\/usr\/libexec\/.+/ OR - "/var/metrics" OR /\/var\/lib\/dpkg\/.+/ OR - /\/run\/log\/journal\/.*/ OR - \/Users\/*\/.minikube\/bin\/docker-machine-driver-hyperkit - ) AND - NOT process.parent.executable: - ( - /\/var\/lib\/docker\/.+/ OR - "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" OR - "/var/lib/dpkg/info/whoopsie.postinst" - ) +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or + (process.name == "install" and process.args : "-m" and + (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) +) and not ( + process.parent.executable : ( + "/usr/NX/*", "/var/lib/docker/*", "/var/lib/dpkg/info*", "/tmp/newroot/*", + "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" + ) or + process.args : ( + "/run/*", "/var/run/*", "/usr/bin/keybase-redirector", "/usr/local/share/fonts", "/usr/bin/ssh-agent" + ) +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" @@ -86,4 +73,3 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml similarity index 51% rename from rules/integrations/aws/exfiltration_rds_snapshot_restored.toml rename to rules/integrations/aws/defense_evasion_rds_instance_restored.toml index fb21fe2f6d0..4a584d3a37c 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/defense_evasion_rds_instance_restored.toml @@ -2,32 +2,29 @@ creation_date = "2021/06/29" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/20" [rule] -author = ["Austin Songer"] +author = ["Austin Songer", "Elastic"] description = """ -Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order -to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, -verify if the snapshot was shared with an unauthorized or unexpected AWS account. +An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations. """ false_positives = [ """ - Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts + Restoring DB instances may be done by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Instance restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] index = ["filebeat-*", "logs-aws.cloudtrail-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" -name = "AWS RDS Snapshot Restored" -note = """## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +name = "AWS RDS DB Instance Restored" references = [ "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", + "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance", ] risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" @@ -36,18 +33,20 @@ tags = [ "Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", + "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Defense Evasion", ] timestamp_override = "event.ingested" -type = "query" +type = "eql" query = ''' -event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and -event.outcome:success +any where event.dataset == "aws.cloudtrail" + and event.provider == "rds.amazonaws.com" + and event.action in ("RestoreDBInstanceFromDBSnapshot", "RestoreDBInstanceFromS3") + and event.outcome == "success" ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -55,12 +54,15 @@ id = "T1578" name = "Modify Cloud Compute Infrastructure" reference = "https://attack.mitre.org/techniques/T1578/" [[rule.threat.technique.subtechnique]] +id = "T1578.002" +name = "Create Cloud Instance" +reference = "https://attack.mitre.org/techniques/T1578/002/" +[[rule.threat.technique.subtechnique]] id = "T1578.004" name = "Revert Cloud Instance" reference = "https://attack.mitre.org/techniques/T1578/004/" - [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 8b7f1512af9..2f004779966 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_distinct_count_error_message" name = "Spike in AWS Error Messages" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Spike in AWS Error Messages @@ -76,10 +97,6 @@ This rule uses a machine learning job to detect a significant spike in the rate - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 0ebbb531d76..e77ba2624e4 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_error_code" name = "Rare AWS Error Code" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Rare AWS Error Code @@ -78,10 +99,6 @@ Detection alerts from this rule indicate a rare and unusual error code that was - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 947265fdca3..be4f893c376 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -24,6 +24,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_city" name = "Unusual City For an AWS Command" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Unusual City For an AWS Command @@ -80,10 +101,6 @@ Detection alerts from this rule indicate an AWS API command or method call that - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 1cb446348cf..9a8b45d4c12 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -24,6 +24,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_country" name = "Unusual Country For an AWS Command" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Unusual Country For an AWS Command @@ -80,10 +101,6 @@ Detection alerts from this rule indicate an AWS API command or method call that - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 88a65f6838a..f43c07ebbff 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -23,6 +23,27 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_username" name = "Unusual AWS Command for a User" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### AWS Integration Setup +The AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "aws" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “AWS” and select the integration to see more details about it. +- Click “Add AWS”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “aws” to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws). +""" note = """## Triage and analysis ### Investigating Unusual AWS Command for a User @@ -78,10 +99,6 @@ Detection alerts from this rule indicate an AWS API command or method call that - Take the actions needed to return affected systems, data, or services to their normal operational levels. - Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml new file mode 100644 index 00000000000..4daf2866a7f --- /dev/null +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -0,0 +1,138 @@ +[metadata] +creation_date = "2024/06/13" +integration = ["aws"] +maturity = "production" +updated_date = "2024/06/22" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13" +min_stack_version = "8.13.0" + +[rule] +author = ["Elastic"] +description = """ +An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by +creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation +to create new programatic access keys for another IAM user. +""" +false_positives = [ + """ + While this can be normal behavior, it should be investigated to ensure validity. + Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user. + """, +] +from = "now-10m" +language = "esql" +license = "Elastic License v2" +name = "AWS IAM User Created Access Keys For Another User" +note = """## Triage and analysis + +### Investigating AWS IAM User Created Access Keys For Another User + +AWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. +With access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new +set of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) +to look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name. + + +#### Possible investigation steps + +- Identify both related accounts and their role in the environment. +- Review IAM permission policies for the user identities. +- Identify the applications or users that should use these accounts. +- Investigate other alerts associated with the accounts during the past 48 hours. +- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc. +- Contact the account owners and confirm whether they are aware of this activity. +- Considering the source IP address and geolocation of the user who issued the command: + - Do they look normal for the calling user? + - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control? + - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? +- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours. + - Determine what other API calls were made by the user. + - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users. + +### False positive analysis + +- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Disable or limit the account during the investigation and response. + - Rotate user credentials + - Remove the newly created credentials from the affected user(s) +- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context: + - Identify the account role in the cloud environment. + - Assess the criticality of affected services and servers. + - Work with your IT team to identify and minimize the impact on users. + - Identify if the attacker is moving laterally and compromising other accounts, servers, or services. + - Identify any regulatory or legal ramifications related to this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. + - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. + - Work with your IT teams to minimize the impact on business operations during these actions. +- Remove unauthorized new accounts, and request password resets for other IAM users. +- Consider enabling multi-factor authentication for users. +- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed. +- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS. +- Take the actions needed to return affected systems, data, or services to their normal operational levels. +- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" +references = [ + "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey", + "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence", + "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html", +] +risk_score = 47 +rule_id = "696015ef-718e-40ff-ac4a-cc2ba88dbeeb" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS IAM", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-aws.cloudtrail-* +| where event.provider == "iam.amazonaws.com" and event.action == "CreateAccessKey" and event.outcome == "success" and user.name != user.target.name +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 1cc2fd23f1f..a829a60fee4 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -2,6 +2,8 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" +min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" +min_stack_version = "8.9.0" updated_date = "2024/05/21" [rule] @@ -34,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and +event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success ''' diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml new file mode 100644 index 00000000000..65b062f0ebf --- /dev/null +++ b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2024/06/24" +integration = ["azure"] +maturity = "production" +updated_date = "2024/06/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). +""" +from = "now-9m" +index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Entra ID Device Code Auth with Broker Client" +references =[ + "https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf", + "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in", + "https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs" +] +risk_score = 47 +rule_id = "a83b3dac-325a-11ef-b3e6-f661ea17fbce" +setup = """ +This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected. +""" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' + event.dataset:(azure.activitylogs or azure.signinlogs) + and azure.signinlogs.properties.authentication_protocol:deviceCode + and azure.signinlogs.properties.conditional_access_audiences.application_id:29d9ed98-a469-4536-ade2-f981bc1d605e + and event.outcome:success or ( + azure.activitylogs.properties.appId:29d9ed98-a469-4536-ade2-f981bc1d605e + and azure.activitylogs.properties.authentication_protocol:deviceCode) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml new file mode 100644 index 00000000000..486885bc9d1 --- /dev/null +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -0,0 +1,113 @@ +[metadata] +creation_date = "2023/11/08" +integration = ["okta"] +maturity = "production" +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/21" + +[rule] +author = ["Elastic"] +description = """ +This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may +indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a +session to gain unauthorized access to Okta admin console, applications, tenants, or other resources. +""" +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Multiple Device Token Hashes for Single Okta Session" +note = """ +## Triage and analysis + +### Investigating Multiple Device Token Hashes for Single Okta Session + +This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources. + +#### Possible investigation steps: +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - Authentication events have been filtered out to focus on Okta activity via established sessions. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. +- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action. + - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily. + +### False positive analysis: +- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established. + +### Response and remediation: +- Consider stopping all sessions for the user(s) involved in this action. +- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. +""" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US", +] +risk_score = 47 +rule_id = "cc382a2e-7e52-11ee-9aac-f661ea17fbcd" +setup = """## Setup + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +severity = "medium" +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Domain: SaaS"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + // ignore authentication events where session and device token hash change often + AND NOT event.action IN ( + "policy.evaluate_sign_on", + "user.session.start", + "user.authentication.sso" + ) + // ignore Okta system events and only allow registered users + AND ( + okta.actor.alternate_id != "system@okta.com" + AND okta.actor.alternate_id RLIKE "[^@\\s]+\\@[^@\\s]+" + ) + AND okta.authentication_context.external_session_id != "unknown" +| STATS + dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY + okta.actor.alternate_id, + okta.authentication_context.external_session_id +| WHERE + dt_hash_counts >= 2 +| SORT + dt_hash_counts DESC +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1539" +name = "Steal Web Session Cookie" +reference = "https://attack.mitre.org/techniques/T1539/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml new file mode 100644 index 00000000000..f7cca9246a5 --- /dev/null +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml @@ -0,0 +1,125 @@ +[metadata] +creation_date = "2024/06/17" +integration = ["okta"] +maturity = "production" +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/20" + +[rule] +author = ["Elastic"] +description = """ +Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +""" +false_positives = [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users.", +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Multiple Okta User Authentication Events with Client Address" +note = """## Triage and analysis + +### Investigating Multiple Okta User Authentication Events with Client Address + +This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack. + +#### Possible investigation steps: +Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy. + - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying. +- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful. + - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. + - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. + - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API. +- Examine the `okta.outcome.result` field to determine if the authentication was successful. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. + +### False positive analysis: +- A user may have legitimately started a session via a proxy for security or privacy reasons. +- Users may share an endpoint related to work or personal use in which separate Okta accounts are used. + - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons. + - Shared systems such as Kiosks and conference room computers may be used by multiple users. + - Shared working spaces may have a single endpoint that is used by multiple users. + +### Response and remediation: +- Review the profile of the users involved in this action to determine if proxy usage may be expected. +- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. + - This will prevent future occurrences of this event for this device from triggering the rule. + - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. +""" +references = [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" +] +risk_score = 21 +rule_id = "94e734c0-2cda-11ef-84e1-f661ea17fbce" +setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." +severity = "low" +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + AND (event.action == "user.session.start" OR event.action RLIKE "user\\.authentication(.*)") + AND okta.outcome.reason == "INVALID_CREDENTIALS" +| STATS + source_auth_count = COUNT_DISTINCT(okta.actor.id) + BY okta.client.ip, okta.actor.alternate_id +| WHERE + source_auth_count > 5 +| SORT + source_auth_count DESC +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.003" + name = "Password Spraying" + reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.004" + name = "Credential Stuffing" + reference = "https://attack.mitre.org/techniques/T1110/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml new file mode 100644 index 00000000000..e1ee710f552 --- /dev/null +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -0,0 +1,124 @@ +[metadata] +creation_date = "2024/06/17" +integration = ["okta"] +maturity = "production" +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/20" + +[rule] +author = ["Elastic"] +description = """ +Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +""" +false_positives = [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users.", +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Multiple Okta User Authentication Events with Same Device Token Hash" +note = """## Triage and analysis + +### Investigating Multiple Okta User Authentication Events with Same Device Token Hash + +This rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack. + +#### Possible investigation steps: +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy. + - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying. +- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful. + - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. + - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. +- Examine the `okta.outcome.result` field to determine if the authentication was successful. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. + +### False positive analysis: +- A user may have legitimately started a session via a proxy for security or privacy reasons. +- Users may share an endpoint related to work or personal use in which separate Okta accounts are used. + - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons. + - Shared systems such as Kiosks and conference room computers may be used by multiple users. + - Shared working spaces may have a single endpoint that is used by multiple users. + +### Response and remediation: +- Review the profile of the users involved in this action to determine if proxy usage may be expected. +- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. + - This will prevent future occurrences of this event for this device from triggering the rule. +""" +references = [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" +] +risk_score = 21 +rule_id = "95b99adc-2cda-11ef-84e1-f661ea17fbce" +setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." +severity = "low" +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start") + AND okta.debug_context.debug_data.dt_hash != "-" + AND okta.outcome.reason == "INVALID_CREDENTIALS" +| STATS + target_auth_count = COUNT_DISTINCT(okta.actor.id) + BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id +| WHERE + target_auth_count > 20 +| SORT + target_auth_count DESC +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.003" + name = "Password Spraying" + reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.004" + name = "Credential Stuffing" + reference = "https://attack.mitre.org/techniques/T1110/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml new file mode 100644 index 00000000000..f9f9898d733 --- /dev/null +++ b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml @@ -0,0 +1,127 @@ +[metadata] +creation_date = "2024/06/17" +integration = ["okta"] +maturity = "production" +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/20" + +[rule] +author = ["Elastic"] +description = """ +Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +""" +false_positives = [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users.", +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "High Number of Okta Device Token Cookies Generated for Authentication" +note = """## Triage and analysis + +### Investigating High Number of Okta Device Token Cookies Generated for Authentication + +This rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack. + +#### Possible investigation steps: +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy. + - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying. +- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful. + - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. + - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. + - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API. +- Examine the `okta.outcome.result` field to determine if the authentication was successful. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. + +### False positive analysis: +- A user may have legitimately started a session via a proxy for security or privacy reasons. +- Users may share an endpoint related to work or personal use in which separate Okta accounts are used. + - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons. + - Shared systems such as Kiosks and conference room computers may be used by multiple users. + - Shared working spaces may have a single endpoint that is used by multiple users. + +### Response and remediation: +- Review the profile of the users involved in this action to determine if proxy usage may be expected. +- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. + - This will prevent future occurrences of this event for this device from triggering the rule. + - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. +""" +references = [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/" +] +risk_score = 21 +rule_id = "23f18264-2d6d-11ef-9413-f661ea17fbce" +setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." +severity = "low" +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start") + AND okta.debug_context.debug_data.request_uri == "/api/v1/authn" + AND okta.outcome.reason == "INVALID_CREDENTIALS" +| STATS + source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) + BY okta.client.ip, okta.actor.alternate_id +| WHERE + source_auth_count >= 30 +| SORT + source_auth_count DESC +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.003" + name = "Password Spraying" + reference = "https://attack.mitre.org/techniques/T1110/003/" + +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" + + [[rule.threat.technique.subtechnique]] + id = "T1110.004" + name = "Credential Stuffing" + reference = "https://attack.mitre.org/techniques/T1110/004/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" diff --git a/rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml b/rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml deleted file mode 100644 index 4b5adbb3380..00000000000 --- a/rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml +++ /dev/null @@ -1,67 +0,0 @@ -[metadata] -creation_date = "2023/11/08" -integration = ["okta"] -maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/08" - - -[rule] -author = ["Elastic"] -description = """ -Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources. -""" -from = "now-30m" -interval = "60m" -index = ["filebeat-*", "logs-okta*"] -language = "kuery" -license = "Elastic License v2" -name = "Multiple Okta Client Addresses for a Single User Session" -note = """## Setup - -The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" -] -risk_score = 47 -rule_id = "cc382a2e-7e52-11ee-9aac-f661ea17fbcd" -severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"] -timestamp_override = "event.ingested" -type = "threshold" -query = ''' -event.dataset:okta.system - and okta.authentication_context.external_session_id:* and okta.debug_context.debug_data.dt_hash:* - and not (okta.actor.id: okta* or okta.actor.display_name: okta*) -''' - -[[rule.threat]] -framework = "MITRE ATT&CK" - -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" - -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[rule.threshold] -field = ["okta.actor.id", "okta.authentication_context.external_session_id"] -value = 1 - -[[rule.threshold.cardinality]] -field = "okta.debug_context.debug_data.dt_hash" -value = 2 - diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml index 66d93c49bf5..d141880ba59 100644 --- a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml +++ b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml @@ -2,51 +2,99 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/18" - +min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview." +min_stack_version = "8.13.0" +updated_date = "2024/06/20" [rule] author = ["Elastic"] description = """ -Detects when a specific Okta actor has multiple sessions started from different geolocations. +Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to +launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from +different locations. """ from = "now-30m" interval = "15m" -index = ["filebeat-*", "logs-okta*"] -language = "kuery" +language = "esql" license = "Elastic License v2" name = "Okta User Sessions Started from Different Geolocations" -note = """## Setup +note = """ + +## Triage and analysis + +### Investigating Okta User Sessions Started from Different Geolocations + +This rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations. -The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +#### Possible investigation steps: +- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert. +- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field. + - Historical analysis should indicate if this device token hash is commonly associated with the user. +- Review the `okta.event_type` field to determine the type of authentication event that occurred. + - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons. + - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying. + - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API. +- Review the past activities of the actor(s) involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + - This may help determine the authentication and authorization actions that occurred between the user, Okta and application. + +### False positive analysis: +- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame. + +### Response and remediation: +- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the users. +- If any of the users are not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user. + - If so, confirm with the user this was a legitimate request. + - If so and this was not a legitimate request, consider deactivating the user's account temporarily. + - Reset passwords and reset MFA for the user. +- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule. + - This will prevent future occurrences of this event for this device from triggering the rule. + - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule. + - This should be done with caution as it may prevent legitimate alerts from being generated. +""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", - "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/" + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", ] risk_score = 47 rule_id = "2e56e1bc-867a-11ee-b13e-f661ea17fbcd" +setup = """ +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. +""" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"] timestamp_override = "event.ingested" -type = "threshold" +type = "esql" + query = ''' -event.dataset:okta.system and okta.event_type:user.session.start and not okta.security_context.is_proxy:true - and okta.actor.id:* and client.geo.country_name:* +FROM logs-okta* +| WHERE + event.dataset == "okta.system" + AND (event.action RLIKE "user\\.authentication(.*)" OR event.action == "user.session.start") + AND okta.security_context.is_proxy != true and okta.actor.id != "unknown" + AND event.outcome == "success" +| STATS + geo_auth_counts = COUNT_DISTINCT(client.geo.country_name) + BY okta.actor.id, okta.actor.alternate_id +| WHERE + geo_auth_counts >= 2 ''' [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [[rule.threat.technique.subtechnique]] id = "T1078.004" name = "Cloud Accounts" @@ -56,11 +104,3 @@ reference = "https://attack.mitre.org/techniques/T1078/004/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - -[rule.threshold] -field = ["okta.actor.id"] -value = 1 - -[[rule.threshold.cardinality]] -field = "client.geo.country_name" -value = 2 diff --git a/rules/linux/discovery_yum_dnf_plugin_detection.toml b/rules/linux/discovery_yum_dnf_plugin_detection.toml new file mode 100644 index 00000000000..61a81cc9cfa --- /dev/null +++ b/rules/linux/discovery_yum_dnf_plugin_detection.toml @@ -0,0 +1,76 @@ +[metadata] +creation_date = "2024/06/25" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/25" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is +used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an +attacker is attempting to establish persistence in a YUM or DNF plugin. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Yum/DNF Plugin Status Discovery" +references = [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", + "https://pwnshift.github.io/2020/10/01/persistence.html" +] +risk_score = 21 +rule_id = "78390eb5-c838-4c1d-8240-69dd7397cfb7" +setup = """## Setup +This rule requires data coming in from Elastic Defend. +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.name == "grep" and process.args : "plugins*" and process.args : ( + "/etc/yum.conf", "/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*", + "/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*", "/etc/dnf/dnf.conf" +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml new file mode 100644 index 00000000000..72a2338e415 --- /dev/null +++ b/rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml @@ -0,0 +1,108 @@ +[metadata] +creation_date = "2024/06/25" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/25" + +[rule] +author = ["Elastic"] +description = """ +Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a +command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, +upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain +persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or +control each time DNF is used for package management. +""" +from = "now-9m" +index = ["logs-endpoint.events.file*"] +language = "eql" +license = "Elastic License v2" +name = "DNF Package Manager Plugin File Creation" +references = ["https://pwnshift.github.io/2020/10/01/persistence.html"] +risk_score = 21 +rule_id = "3fe4e20c-a600-4a86-9d98-3ecb1ef23550" +setup = """## Setup +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. + +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. + +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action in ("rename", "creation") and +file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*") and not ( + process.executable in ( + "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", + "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", + "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", + "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", + "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", + "/usr/libexec/netplan/generate" + ) or + file.extension in ("swp", "swpx", "swx") or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*", + "/etc/kernel/*" + ) or + process.executable == null or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 36ed51d363e..49a478b6814 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/22" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/21" [transform] [[transform.osquery]] @@ -180,7 +180,7 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.id == "0" and -file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", +file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/init.d/*", "/etc/systemd/system/*", "/usr/lib/systemd/system/*") and not ( (process.name : ( "chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python", "dpkg", "yum", "apt", "dnf", "rpm", diff --git a/rules/linux/persistence_git_hook_file_creation.toml b/rules/linux/persistence_git_hook_file_creation.toml new file mode 100644 index 00000000000..6b2db4215ac --- /dev/null +++ b/rules/linux/persistence_git_hook_file_creation.toml @@ -0,0 +1,122 @@ +[metadata] +creation_date = "2024/06/26" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/26" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git +executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, +and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious +code whenever a specific Git event occurs. +""" +from = "now-9m" +index = ["logs-endpoint.events.file*"] +language = "eql" +license = "Elastic License v2" +name = "Git Hook Created or Modified" +references = ["https://git-scm.com/docs/githooks/2.26.0"] +risk_score = 21 +rule_id = "ac531fcc-1d3b-476d-bbb5-1357728c9a37" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and +file.extension == null and process.executable != null and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/usr/bin/pamac-daemon", "/bin/pamac-daemon", + "/usr/local/bin/dockerd", "/sbin/dockerd" + ) or + process.executable : ("/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*") or + process.name in ("git", "dirname") or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_git_hook_process_execution.toml b/rules/linux/persistence_git_hook_process_execution.toml new file mode 100644 index 00000000000..8caf97ff310 --- /dev/null +++ b/rules/linux/persistence_git_hook_process_execution.toml @@ -0,0 +1,118 @@ +[metadata] +creation_date = "2024/06/26" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/26" + +[rule] +author = ["Elastic"] +description = """ +This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events +such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically +spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by +leveraging the legitimate Git process to execute unauthorized commands. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*"] +language = "eql" +license = "Elastic License v2" +name = "Git Hook Child Process" +references = ["https://git-scm.com/docs/githooks/2.26.0"] +risk_score = 21 +rule_id = "7ce5e1c7-6a49-45e6-a101-0720d185667f" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in ( + "applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit", + "pre-applypatch", "pre-commit", "pre-merge-commit", "prepare-commit-msg", "pre-push", "pre-rebase", "pre-receive", + "push-to-checkout", "update", "post-receive", "pre-auto-gc", "post-rewrite", "sendemail-validate", "p4-pre-submit", + "post-index-change", "post-merge", "post-applypatch" +) and ( + process.name in ("nohup", "setsid", "disown", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or + process.name : ("php*", "perl*", "ruby*", "lua*") or + process.executable : ( + "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", + "/run/*", "/srv/*", "/tmp/*", "/var/tmp/*", "/var/log/*" + ) +) and not process.name in ("git", "dirname") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 6bded3ec8e1..ef21a58c38f 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/03/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/21" [transform] [[transform.osquery]] @@ -11,7 +11,7 @@ query = "SELECT * FROM file WHERE path = {{file.path}}" [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" -query = "SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')" +query = "SELECT * FROM file WHERE path LIKE '/etc/init.d/%'" [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" @@ -19,8 +19,7 @@ query = """ SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT -JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE -'/run/systemd/generator.late/%') +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/init.d/%' """ [[transform.osquery]] @@ -31,7 +30,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ @@ -42,12 +40,12 @@ can convert init.d files to service unit files that run at boot. Adversaries may """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] -language = "kuery" +language = "eql" license = "Elastic License v2" -name = "Potential Persistence Through init.d Detected" +name = "System V Init Script Created" note = """## Triage and analysis -### Investigating Potential Persistence Through init.d Detected +### Investigating System V Init Script Created The `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown. @@ -112,7 +110,7 @@ references = [ "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", ] -risk_score = 47 +risk_score = 21 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" setup = """## Setup @@ -139,7 +137,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "medium" +severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", @@ -150,39 +148,39 @@ tags = [ "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" -type = "new_terms" - +type = "eql" query = ''' -host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and -file.path : /etc/init.d/* and not ( - (process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or "rpm" or - "vmis-launcher" or "exe" or "platform-python" or "executor" or "podman")) or - (file.extension : ("swp" or "swpx")) or - (process.name:mv and file.name:*.dpkg-remove) or - (process.name:sed and file.name:sed*) or - (process.name:systemd and file.name:*.dpkg-new) +file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") +and file.path : "/etc/init.d/*" and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" + ) or + process.executable == null or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["file.path", "process.name", "host.id"] -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-7d" - - diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml new file mode 100644 index 00000000000..c46c9b05db1 --- /dev/null +++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml @@ -0,0 +1,120 @@ +[metadata] +creation_date = "2024/06/03" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/21" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the addition of an executable bit for scripts that are located in directories which are +commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up +within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set +interval to gain persistence onto the system. +""" +from = "now-9m" +index = ["logs-endpoint.events.process*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Executable Bit Set for Potential Persistence Script" +references = [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", +] +risk_score = 21 +rule_id = "94418745-529f-4259-8d25-a713a6feb6ae" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.args : ( + // Misc. + "/etc/rc.local", "/etc/rc.common", "/etc/init.d/*", "/etc/update-motd.d/*", "/etc/apt/apt.conf.d/*", "/etc/cron*", + "/etc/init/*", + + // XDG + "/etc/xdg/autostart/*", "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", "/home/*/.config/autostart-scripts/*", + "/root/.config/autostart-scripts/*", "/etc/xdg/autostart/*", "/usr/share/autostart/*", + + // udev + "/lib/udev/*", "/etc/udev/rules.d/*", "/usr/lib/udev/rules.d/*", "/run/udev/rules.d/*" + +) and ( + (process.name == "chmod" and process.args : ("+x*", "1*", "3*", "5*", "7*")) or + (process.name == "install" and process.args : "-m*" and process.args : ("7*", "5*", "3*", "1*")) +) and not process.parent.executable : "/var/lib/dpkg/*" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" + +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.013" +name = "XDG Autostart Entries" +reference = "https://attack.mitre.org/techniques/T1547/013/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_rc_local_error_via_syslog.toml b/rules/linux/persistence_rc_local_error_via_syslog.toml new file mode 100644 index 00000000000..17927befe85 --- /dev/null +++ b/rules/linux/persistence_rc_local_error_via_syslog.toml @@ -0,0 +1,79 @@ +[metadata] +creation_date = "2024/06/21" +integration = ["system"] +maturity = "production" +updated_date = "2024/06/21" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script +that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute +malicious commands or scripts during system startup. This rule detects error messages such as "Connection refused," +"No such file or directory," or "command not found" in the syslog log file, which may indicate that the rc.local file +has been tampered with. +""" +from = "now-9m" +index = ["logs-system.syslog-*"] +language = "kuery" +license = "Elastic License v2" +name = "Suspicious rc.local Error Message" +references = [ + "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", + "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", + "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", +] +risk_score = 21 +rule_id = "69c116bb-d86f-48b0-857d-3648511a6cac" +setup = """## Setup + +This rule requires data coming in from one of the following integrations: +- Filebeat + +### Filebeat Setup +Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. + +#### The following steps should be executed in order to add the Filebeat for the Linux System: +- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. +- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). +- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). +- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). +- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). +- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). + +#### Rule Specific Setup Note +- This rule requires the Filebeat System Module to be enabled. +- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. +- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and +message:("Connection refused" or "No such file or directory" or "command not found") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1037" +name = "Boot or Logon Initialization Scripts" +reference = "https://attack.mitre.org/techniques/T1037/" + +[[rule.threat.technique.subtechnique]] +id = "T1037.004" +name = "RC Scripts" +reference = "https://attack.mitre.org/techniques/T1037/004/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_rc_local_common_executable_bit_set.toml b/rules/linux/persistence_rc_local_service_already_running.toml similarity index 73% rename from rules/linux/persistence_rc_local_common_executable_bit_set.toml rename to rules/linux/persistence_rc_local_service_already_running.toml index bbc1651e03c..55ce9d6dfb7 100644 --- a/rules/linux/persistence_rc_local_common_executable_bit_set.toml +++ b/rules/linux/persistence_rc_local_service_already_running.toml @@ -1,31 +1,32 @@ [metadata] -creation_date = "2024/06/03" +creation_date = "2024/06/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/03" +updated_date = "2024/06/21" [rule] author = ["Elastic"] description = """ -This rule monitors for the addition of an executable bit of the `/etc/rc.local` or `/etc/rc.common` files. These files -are used to start custom applications, services, scripts or commands during start-up. They require executable -permissions to be executed on boot. An alert of this rule is an indicator that this method is being set up within -your environment. This method has mostly been replaced by Systemd. However, through the `systemd-rc-local-generator`, -these files can be converted to services that run at boot. Adversaries may alter these files to execute malicious code -at start-up, and gain persistence onto the system. +This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action +created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is +executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux +distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts +on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the +execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the +potential execution of `rc.local`. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "endgame-*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" -name = "Executable Bit Set for rc.local/rc.common" +name = "Potential Execution of rc.local Script" references = [ "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", ] risk_score = 47 -rule_id = "94418745-529f-4259-8d25-a713a6feb6ae" +rule_id = "7318affb-bfe8-4d50-a425-f617833be160" setup = """## Setup This rule requires data coming in from Elastic Defend. @@ -57,18 +58,13 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Endgame", "Data Source: Elastic Defend" ] timestamp_override = "event.ingested" type = "eql" - query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and -process.args in ("/etc/rc.local", "/etc/rc.common") and ( - (process.name == "chmod" and process.args : ("*+x*", "1*", "3*", "5*", "7*")) or - (process.name == "install" and process.args : "-m*" and process.args : ("*7*", "*5*", "*3*", "*1*")) -) +process where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and +process.parent.args == "/etc/rc.local" and process.parent.args == "start" ''' [[rule.threat]] diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index e9177e41c18..d3edbcc110b 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/28" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/20" [transform] [[transform.osquery]] @@ -24,24 +24,23 @@ SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants label = "Osquery - Retrieve Crontab Information" query = "SELECT * FROM crontab" - [rule] author = ["Elastic"] description = """ -This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the -use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or -commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the -"systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter -rc.local to execute malicious code at start-up, and gain persistence onto the system. +This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start +custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by +Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at +boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the +system. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] -language = "kuery" +index = ["logs-endpoint.events.*"] +language = "eql" license = "Elastic License v2" -name = "Potential Persistence Through Run Control Detected" +name = "rc.local/rc.common File Creation" note = """## Triage and analysis -### Investigating Potential Persistence Through Run Control Detected +### Investigating rc.local/rc.common File Creation The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. @@ -136,45 +135,50 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", - "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" -type = "new_terms" +type = "eql" query = ''' -host.os.type : "linux" and event.category : "file" and -event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and -file.path : "/etc/rc.local" and not process.name : ( - "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" -) and not file.extension : ("swp" or "swpx") +file where host.os.type == "linux" and event.action in ("rename", "creation") and +file.path in ("/etc/rc.local", "/etc/rc.common") and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*" + ) or + process.executable == null or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1037" name = "Boot or Logon Initialization Scripts" reference = "https://attack.mitre.org/techniques/T1037/" + [[rule.threat.technique.subtechnique]] id = "T1037.004" name = "RC Scripts" reference = "https://attack.mitre.org/techniques/T1037/004/" - - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "process.executable", "user.id"] -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-7d" - - diff --git a/rules/linux/persistence_systemd_generator_creation.toml b/rules/linux/persistence_systemd_generator_creation.toml new file mode 100644 index 00000000000..91fe055173e --- /dev/null +++ b/rules/linux/persistence_systemd_generator_creation.toml @@ -0,0 +1,118 @@ +[metadata] +creation_date = "2024/06/19" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/19" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at +bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters +into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. +Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain +persistence on a Linux system. +""" +from = "now-9m" +index = ["logs-endpoint.events.file*"] +language = "eql" +license = "Elastic License v2" +name = "Systemd Generator Created" +references = ["https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/"] +risk_score = 47 +rule_id = "39c06367-b700-4380-848a-cab06e7afede" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( +"/run/systemd/system-generators/*", "/etc/systemd/system-generators/*", +"/usr/local/lib/systemd/system-generators/*", "/lib/systemd/system-generators/*", +"/usr/lib/systemd/system-generators/*", "/etc/systemd/user-generators/*", +"/usr/local/lib/systemd/user-generators/*", "/usr/lib/systemd/user-generators/*", +"/lib/systemd/user-generators/*" +) and not ( + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", + "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", + "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", + "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", + "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon", + "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd" + ) or + file.extension in ("swp", "swpx", "swx", "dpkg-remove") or + file.Ext.original.extension == "dpkg-new" or + process.executable == null +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique.subtechnique]] +id = "T1543.002" +name = "Systemd Service" +reference = "https://attack.mitre.org/techniques/T1543/002/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 8bc43527121..81aa84ad826 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -2,7 +2,7 @@ creation_date = "2023/02/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/06/19" [transform] [[transform.osquery]] @@ -15,7 +15,8 @@ query = """ SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%') +OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE +'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -27,7 +28,8 @@ file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_tim JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%') +OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE +'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -154,8 +156,9 @@ timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( - "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*", - "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*", + "/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*", + "/lib/systemd/system/*", "/usr/lib/systemd/system/*", "/usr/lib/systemd/user/*", + "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*", "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*" ) and file.extension == "timer" and not ( process.executable in ( diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index 71822b17af1..ac547ea9af3 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/31" +updated_date = "2024/06/19" [transform] [[transform.osquery]] @@ -15,7 +15,8 @@ query = """ SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%') +OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE +'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -27,7 +28,8 @@ file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_tim JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' -OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%') +OR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE +'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%') """ [[transform.osquery]] @@ -183,8 +185,9 @@ timestamp_override = "event.ingested" type = "eql" query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( - "/etc/systemd/system/*", "/usr/local/lib/systemd/system/*", "/lib/systemd/system/*", - "/usr/lib/systemd/system/*", "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*", + "/etc/systemd/system/*", "/etc/systemd/user/*", "/usr/local/lib/systemd/system/*", + "/lib/systemd/system/*", "/usr/lib/systemd/system/*", "/usr/lib/systemd/user/*", + "/home/*/.config/systemd/user/*", "/home/*/.local/share/systemd/user/*", "/root/.config/systemd/user/*", "/root/.local/share/systemd/user/*" ) and file.extension == "service" and not ( process.executable in ( diff --git a/rules/linux/persistence_user_or_group_creation_or_modification.toml b/rules/linux/persistence_user_or_group_creation_or_modification.toml new file mode 100644 index 00000000000..cbd541dbbb0 --- /dev/null +++ b/rules/linux/persistence_user_or_group_creation_or_modification.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2024/06/20" +integration = ["auditd_manager"] +maturity = "production" +updated_date = "2024/06/20" + +[rule] +author = ["Elastic"] +description = """ +This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux +systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] +language = "eql" +license = "Elastic License v2" +name = "User or Group Creation/Modification" +risk_score = 21 +rule_id = "fcf733d5-7801-4eb0-92ac-8ffacf3658f2" +setup = """## Setup +This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. +``` +Kibana --> +Management --> +Integrations --> +Auditd Manager --> +Add Auditd Manager +``` +`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +For this detection rule to trigger, no additional configuration is required. +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Auditd Manager", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +iam where host.os.type == "linux" and event.type in ("creation", "change") and auditd.result == "success" and +event.action in ("changed-password", "added-user-account", "added-group-account-to") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" + +[[rule.threat.technique.subtechnique]] +id = "T1136.001" +name = "Local Account" +reference = "https://attack.mitre.org/techniques/T1136/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml new file mode 100644 index 00000000000..6ca712181da --- /dev/null +++ b/rules/linux/persistence_yum_package_manager_plugin_file_creation.toml @@ -0,0 +1,108 @@ +[metadata] +creation_date = "2024/06/25" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/25" + +[rule] +author = ["Elastic"] +description = """ +Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, +Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions +for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can +backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued +unauthorized access or control each time Yum is used for package management. +""" +from = "now-9m" +index = ["logs-endpoint.events.file*"] +language = "eql" +license = "Elastic License v2" +name = "Yum Package Manager Plugin File Creation" +references = ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb"] +risk_score = 21 +rule_id = "0b15bcad-aff1-4250-a5be-5d1b7eb56d07" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", +] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +file where host.os.type == "linux" and event.action in ("rename", "creation") and +file.path : ("/usr/lib/yum-plugins/*", "/etc/yum/pluginconf.d/*") and not ( + process.executable in ( + "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", "/usr/bin/microdnf", "/bin/rpm", + "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", + "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/sbin/apk", "/usr/sbin/apk", + "/usr/local/sbin/apk", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet", "/bin/puppet", + "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client", "/bin/autossl_check", + "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", + "/usr/libexec/netplan/generate" + ) or + process.name == "yumBackend.py" or + file.extension in ("swp", "swpx", "swx") or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/usr/lib/*", "/usr/libexec/*", + "/etc/kernel/*" + ) or + process.executable == null or + (process.name == "sed" and file.name : "sed*") or + (process.name == "perl" and file.name : "e2scrub_all.tmp*") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml new file mode 100644 index 00000000000..b846122f6e5 --- /dev/null +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -0,0 +1,123 @@ +[metadata] +creation_date = "2024/06/17" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/06/17" + +[rule] +author = ["Elastic"] +description = """ +Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. +This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated +privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or +establish a backdoor for persistence. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Privilege Escalation via SUID/SGID" +references = ["https://gtfobins.github.io/#+suid"] +risk_score = 47 +rule_id = "28eb3afe-131d-48b0-a8fc-9784f3d54f3c" +setup = """## Setup + +This rule requires data coming in from Elastic Defend. + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Persistence", + "Data Source: Elastic Defend" + ] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + (process.user.id == "0" and process.real_user.id != "0") or + (process.group.id == "0" and process.real_group.id != "0") +) and ( + process.name in ( + "aa-exec", "ab", "agetty", "alpine", "ar", "arj", "arp", "as", "ascii-xfr", "ash", "aspell", + "atobm", "awk", "base32", "base64", "basenc", "basez", "bash", "bc", "bridge", "busctl", + "busybox", "bzip2", "cabal", "capsh", "cat", "choom", "chown", "chroot", "clamscan", "cmp", + "column", "comm", "cp", "cpio", "cpulimit", "csh", "csplit", "csvtool", "cupsfilter", "curl", + "cut", "dash", "date", "dd", "debugfs", "dialog", "diff", "dig", "distcc", "dmsetup", "docker", + "dosbox", "ed", "efax", "elvish", "emacs", "env", "eqn", "espeak", "expand", "expect", "file", + "find", "fish", "flock", "fmt", "fold", "gawk", "gcore", "gdb", "genie", "genisoimage", "gimp", + "grep", "gtester", "gzip", "hd", "head", "hexdump", "highlight", "hping3", "iconv", "install", + "ionice", "ispell", "jjs", "join", "jq", "jrunscript", "julia", "ksh", "ksshell", "kubectl", + "ld.so", "less", "links", "logsave", "look", "lua", "make", "mawk", "minicom", "more", + "mosquitto", "msgattrib", "msgcat", "msgconv", "msgfilter", "msgmerge", "msguniq", "multitime", + "mv", "nasm", "nawk", "ncftp", "nft", "nice", "nl", "nm", "nmap", "node", "nohup", "ntpdate", + "od", "openssl", "openvpn", "pandoc", "paste", "perf", "perl", "pexec", "pg", "php", "pidstat", + "pr", "ptx", "python", "rc", "readelf", "restic", "rev", "rlwrap", "rsync", "rtorrent", + "run-parts", "rview", "rvim", "sash", "scanmem", "sed", "setarch", "setfacl", "setlock", "shuf", + "soelim", "softlimit", "sort", "sqlite3", "ss", "ssh-agent", "ssh-keygen", "ssh-keyscan", + "sshpass", "start-stop-daemon", "stdbuf", "strace", "strings", "sysctl", "systemctl", "tac", + "tail", "taskset", "tbl", "tclsh", "tee", "terraform", "tftp", "tic", "time", "timeout", "troff", + "ul", "unexpand", "uniq", "unshare", "unsquashfs", "unzip", "update-alternatives", "uudecode", + "uuencode", "vagrant", "varnishncsa", "view", "vigr", "vim", "vimdiff", "vipw", "w3m", "watch", + "wc", "wget", "whiptail", "xargs", "xdotool", "xmodmap", "xmore", "xxd", "xz", "yash", "zsh", + "zsoelim" + ) or + process.name == "ip" and ( + (process.args == "-force" and process.args in ("-batch", "-b")) or (process.args == "exec") + ) +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 11ced2586f4..debaac79b06 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -24,6 +24,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_dns_tunneling" name = "DNS Tunneling" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 7a933193649..57cef36eac2 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -27,6 +27,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_dns_question" name = "Unusual DNS Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index f5f645da58c..7e7f50eccfe 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -30,6 +30,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_urls" name = "Unusual Web Request" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 80d1ea8c12a..92fe092fe32 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -28,6 +28,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_user_agent" name = "Unusual Web User Agent" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index b1686ca28d2..254e2a72443 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -23,6 +23,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_high_count_logon_fails" name = "Spike in Failed Logon Events" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" note = """## Triage and analysis ### Investigating Spike in Failed Logon Events diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 7bef2ab7db8..7c9569ca0b5 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_high_count_logon_events" name = "Spike in Logon Events" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index a7db1669252..3305439fe96 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_high_count_logon_events_for_a_source_ip" name = "Spike in Successful Logon Events from a Source IP" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" note = """## Triage and analysis ### Investigating Spike in Successful Logon Events from a Source IP diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 99b868e36b7..25165dddda5 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -22,6 +22,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_rare_metadata_process"] name = "Unusual Linux Process Calling the Metadata Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index c9b15fd4751..1e960dc1f49 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_rare_metadata_user"] name = "Unusual Linux User Calling the Metadata Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" severity = "low" diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index ce9acc37043..ee7a91db756 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -19,6 +19,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "suspicious_login_activity" name = "Unusual Login Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 708f48dd65d..89ccc71f723 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -22,6 +22,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_metadata_process"] name = "Unusual Windows Process Calling the Metadata Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" risk_score = 21 rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 783424170e7..e9dc2c50862 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_metadata_user"] name = "Unusual Windows User Calling the Metadata Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" risk_score = 21 rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index c796520526c..2e06a27dba8 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_system_information_discovery"] name = "Unusual Linux System Information Discovery Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index 016916bf3cc..eae2bbef640 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 25 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_network_configuration_discovery"] name = "Unusual Linux Network Configuration Discovery" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index 240ea84f8e6..83d47f0cbe2 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 25 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_network_connection_discovery"] name = "Unusual Linux Network Connection Discovery" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 236077e3190..9eadd5f1c4b 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_system_process_discovery"] name = "Unusual Linux Process Discovery Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "5c983105-4681-46c3-9890-0c66d05e776b" severity = "low" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index fedcc03086d..c7ce566570c 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -24,6 +24,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_system_user_discovery"] name = "Unusual Linux User Discovery Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "59756272-1998-4b8c-be14-e287035c4d10" severity = "low" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 6818f720d45..9bdf470104c 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -22,6 +22,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration", diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 5c318758f9f..53e05ffe3fd 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -18,6 +18,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_rare_hour_for_a_user" name = "Unusual Hour for a User to Logon" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" note = """## Triage and analysis ### Investigating Unusual Hour for a User to Logon diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 5a1520d9f3b..f6b95127b55 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -19,6 +19,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_rare_source_ip_for_a_user" name = "Unusual Source IP for a User to Logon from" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b" diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 18af4302fd7..47a768779c8 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -2,7 +2,7 @@ creation_date = "2021/06/10" integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -25,6 +25,70 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "auth_rare_user" name = "Rare User Logon" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager +- System + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. + +### System Integration Setup +The System integration allows you to collect system logs and metrics from your servers with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "system" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “System” and select the integration to see more details about it. +- Click “Add System”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “system” to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system). +""" note = """## Triage and analysis ### Investigating Rare User Logon diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index bc5582d144b..f95faf19706 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -28,6 +28,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_anomalous_user_name"] name = "Unusual Linux Username" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" note = """## Triage and analysis ### Investigating an Unusual Linux User diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index 7bae0eb9882..23fd8dfc046 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -28,6 +28,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_user_name"] name = "Unusual Windows Username" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating an Unusual Windows User diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index 66e6ed0a0d2..5fdd2d4a623 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_user_type10_remote_login"] name = "Unusual Windows Remote User" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating an Unusual Windows User diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index e953addcff0..c0f5fc17b56 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -26,6 +26,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_count_network_denies" name = "Spike in Firewall Denies" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 1218c64e54e..edc03f65057 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -25,6 +25,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_count_network_events" name = "Spike in Network Traffic" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71" diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 97ddd9a53ec..7fed0183b9e 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -19,6 +19,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_anomalous_network_activity"] name = "Unusual Linux Network Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" note = """## Triage and analysis ### Investigating Unusual Network Activity diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 8b0838f66cb..140a8bc735f 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -18,6 +18,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_anomalous_network_port_activity"] name = "Unusual Linux Network Port Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index f8623cc1f77..653e4cc3226 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -27,6 +27,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "packetbeat_rare_server_domain" name = "Unusual Network Destination Domain Name" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index b496dfbd435..3f293cd15f6 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -29,6 +29,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_destination_country" name = "Network Traffic to Rare Destination Country" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 9066dda2475..9ca8cdd35e3 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -2,7 +2,7 @@ creation_date = "2021/04/05" integration = ["endpoint", "network_traffic"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -27,6 +27,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_count_by_destination_country" name = "Spike in Network Traffic To a Country" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Network Packet Capture + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Network Packet Capture Integration Setup +The Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment — ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction. + +#### The following steps should be executed in order to add the Elastic Agent System integration "network_traffic" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Network Packet Capture” and select the integration to see more details about it. +- Click “Add Network Packet Capture”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “network_traffic” to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic). +""" note = """## Triage and analysis ### Investigating Spike in Network Traffic To a Country diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 56b7637a327..a17357a1673 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -20,6 +20,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_network_activity"] name = "Unusual Windows Network Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating Unusual Network Activity diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 8de5f286491..3df45d5fb94 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_anomalous_process_all_hosts"] name = "Anomalous Process For a Linux Population" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" note = """## Triage and analysis ### Investigating Anomalous Process For a Linux Population diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 224077d6f73..0361a75d0d9 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_rare_process_by_host_linux"] name = "Unusual Process For a Linux Host" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" note = """## Triage and analysis ### Investigating Unusual Process For a Linux Host diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 280215b6f2f..ecc0bb7c736 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [transform] [[transform.osquery]] @@ -49,6 +49,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_rare_process_by_host_windows"] name = "Unusual Process For a Windows Host" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating Unusual Process For a Windows Host diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index dbcb5d48cfd..39a9d623f10 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -25,6 +25,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_path_activity"] name = "Unusual Windows Path Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index b3a28a2b751..b80a807ed66 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [transform] [[transform.osquery]] @@ -49,6 +49,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_process_all_hosts"] name = "Anomalous Process For a Windows Population" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating Anomalous Process For a Windows Population diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index e7d43de5ed1..1e1a7b527f0 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [transform] [[transform.osquery]] @@ -52,6 +52,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_process_creation"] name = "Anomalous Windows Process Creation" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" note = """## Triage and analysis ### Investigating Anomalous Windows Process Creation diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index ebd2420f362..ac98225fd35 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_service"] name = "Unusual Windows Service" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index adc9dacabe5..6d718fc767f 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 75 @@ -22,6 +22,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_rare_sudo_user"] name = "Unusual Sudo Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0" severity = "low" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 62175943783..a4a9a6cebe6 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,50 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_rare_user_runas_event"] name = "Unusual Windows User Privilege Elevation Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Windows + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Windows Integration Setup +The Windows integration allows you to monitor the Windows OS, services, applications, and more. + +#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Windows” and select the integration to see more details about it. +- Click “Add Windows”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows). +""" references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index ca7bed0a274..e3878144a51 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/18" [rule] anomaly_threshold = 50 @@ -23,6 +23,56 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_linux_rare_user_compiler"] name = "Anomalous Linux Compiler Activity" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend +- Auditd Manager + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + +### Auditd Manager Integration Setup +The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. +Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. + +#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. +- Configure the integration name and optionally add a description. +- Review optional and advanced settings accordingly. +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). + +#### Rule Specific Setup Note +Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. +However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from. +- For this detection rule no additional audit rules are required. +""" risk_score = 21 rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530" severity = "low" diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/threat_intel/threat_intel_indicator_match_address.toml similarity index 99% rename from rules/cross-platform/threat_intel_indicator_match_address.toml rename to rules/threat_intel/threat_intel_indicator_match_address.toml index 07ed6b5d053..6026f6f265d 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/threat_intel/threat_intel_indicator_match_address.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/10" [transform] [[transform.osquery]] @@ -113,7 +113,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "critical" -tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/threat_intel/threat_intel_indicator_match_hash.toml similarity index 99% rename from rules/cross-platform/threat_intel_indicator_match_hash.toml rename to rules/threat_intel/threat_intel_indicator_match_hash.toml index 54bc25febbf..236fb01db80 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/threat_intel/threat_intel_indicator_match_hash.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/10" [transform] [[transform.osquery]] @@ -112,7 +112,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "critical" -tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/threat_intel/threat_intel_indicator_match_registry.toml similarity index 99% rename from rules/cross-platform/threat_intel_indicator_match_registry.toml rename to rules/threat_intel/threat_intel_indicator_match_registry.toml index fee4820ef14..5612c34e435 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/threat_intel/threat_intel_indicator_match_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/10" [transform] [[transform.osquery]] @@ -107,7 +107,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "critical" -tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/threat_intel/threat_intel_indicator_match_url.toml similarity index 99% rename from rules/cross-platform/threat_intel_indicator_match_url.toml rename to rules/threat_intel/threat_intel_indicator_match_url.toml index cba88abb5f7..1f829b8c28c 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/threat_intel/threat_intel_indicator_match_url.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/10" [transform] [[transform.osquery]] @@ -116,7 +116,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "critical" -tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml new file mode 100644 index 00000000000..fffdad302cf --- /dev/null +++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml @@ -0,0 +1,111 @@ +[metadata] +creation_date = "2024/05/29" +integration = ["ti_rapid7_threat_command"] +maturity = "production" +updated_date = "2024/06/20" + +[rule] +author = ["Elastic"] +description = """ +This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against +vulnerabilities that were found in the customer environment. +""" +from = "now-35m" +index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] +interval = "30m" +language = "kuery" +license = "Elastic License v2" +max_signals = 10000 +name = "Rapid7 Threat Command CVEs Correlation" +note = """## Triage and Analysis + +### Investigating Rapid7 Threat Command CVEs Correlation + +Rapid7 Threat Command CVEs Correlation rule allows matching CVEs from user indices within the vulnerabilities collected from Rapid7 Threat Command integrations. + +The matches will be based on the latest values of CVEs from the last 180 days. So it's essential to validate the data and review the results by investigating the associated activity to determine if it requires further investigation. + +If a vulnerability matches a local observation, the following enriched fields will be generated to identify the vulnerability, field, and type matched. + +- `threat.indicator.matched.atomic` - this identifies the atomic vulnerability that matched the local observation +- `threat.indicator.matched.field` - this identifies the vulnerability field that matched the local observation +- `threat.indicator.matched.type` - this identifies the vulnerability type that matched the local observation + +Additional investigation can be done by reviewing the source of the activity and considering the history of the vulnerability that was matched. This can help understand if the activity is related to legitimate behavior. + +- Investigation can be validated and reviewed based on the data that was matched and by viewing the source of that activity. +- Consider the history of the vulnerability that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior. +- Consider the user and their role within the company: is this something related to their job or work function? +""" +references = [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://docs.elastic.co/integrations/ti_rapid7_threat_command"] +risk_score = 99 +rule_id = "3a657da0-1df2-11ef-a327-f661ea17fbcc" +setup = """ + +## Setup + +This rule needs threat intelligence indicators to work. +Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), +the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), +or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). + +More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). + +## Max Signals + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +""" +severity = "critical" +tags = [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Data Source: Windows", + "Data Source: Network", + "Data Source: Rapid7 Threat Command", + "Rule Type: Threat Match", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Use Case: Asset Visibility", + "Use Case: Continuous Monitoring", +] +threat_index = ["logs-ti_rapid7_threat_command_latest.vulnerability"] +threat_indicator_path = "rapid7.tc.vulnerability" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and vulnerability.id : * and event.module: ti_rapid7_threat_command +""" +timestamp_override = "event.ingested" +type = "threat_match" + +query = ''' +vulnerability.id : * +''' + + +[[rule.filters]] + +[rule.filters."$state"] +store = "appState" +[rule.filters.meta] +disabled = false +key = "rapid7.tc.vulnerability.id" +negate = true +type = "exists" +[rule.filters.query.exists] +field = "rapid7.tc.vulnerability.id" +[[rule.threat_mapping]] + +[[rule.threat_mapping.entries]] +field = "vulnerability.id" +type = "mapping" +value = "vulnerability.id" + + diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 1ea0ba036ef..c08a1dd2422 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/12/15" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ mailbox or archive to a .pst file. Adversaries may target user email to collect """ false_positives = ["Legitimate exchange system administration activity."] from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Exporting Exchange Mailbox via PowerShell" @@ -74,7 +74,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index bec3e54b63b..19f06141311 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/10/14" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies potential use of an SSH utility to establish RDP over a reverse SSH T enable routing of network packets that would otherwise not reach their intended destination. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Tunneling Detected" @@ -72,7 +72,8 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_screenconnect_childproc.toml b/rules/windows/command_and_control_screenconnect_childproc.toml index 0251401edf1..28afb617b92 100644 --- a/rules/windows/command_and_control_screenconnect_childproc.toml +++ b/rules/windows/command_and_control_screenconnect_childproc.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2024/03/27" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies suspicious processes being spawned by the ScreenConnect client proces abusing unauthorized access to the ScreenConnect remote access software. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious ScreenConnect Client Child Process" @@ -30,7 +30,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_adidns_wpad_record.toml b/rules/windows/credential_access_adidns_wpad_record.toml new file mode 100644 index 00000000000..ab0782ec66c --- /dev/null +++ b/rules/windows/credential_access_adidns_wpad_record.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2024/06/03" +integration = ["system", "windows"] +maturity = "production" +updated_date = "2024/06/03" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the +Global Query Block List (GQBL) and create a "wpad" record to exploit hosts running WPAD with default settings for +privilege escalation and lateral movement. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential WPAD Spoofing via DNS Record Creation" +references = [ + "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", + "https://cube0x0.github.io/Pocing-Beyond-DA/", +] +risk_score = 47 +rule_id = "894326d2-56c0-4342-b553-4abfaf421b5b" +setup = """## Setup + +The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > +Audit Directory Service Changes (Success,Failure) +``` + +The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. + +``` +Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success +``` +""" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Use Case: Active Directory Monitoring", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.action == "Directory Service Changes" and + event.code == "5137" and winlog.event_data.ObjectDN : "DC=wpad,*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 2517a7c0dbd..dae11b84426 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/08/13" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation or modification of Domain Backup private keys. Adversari (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" @@ -36,7 +36,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kirbi_file.toml b/rules/windows/credential_access_kirbi_file.toml index ad29d6bc414..c98f6321bb0 100644 --- a/rules/windows/credential_access_kirbi_file.toml +++ b/rules/windows/credential_access_kirbi_file.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/08/23" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -14,14 +14,14 @@ Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as P attacker to impersonate users using Kerberos tickets. """ from = "now-9m" -index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Kirbi File Creation" risk_score = 47 rule_id = "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 7a3135c6e28..b4538934bea 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/03/02" -integration = ["endpoint"] +integration = ["endpoint", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [transform] [[transform.osquery]] @@ -34,7 +34,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n" from = "now-9m" -index = ["logs-endpoint.events.api-*"] +index = ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "LSASS Process Access via Windows API" @@ -112,6 +112,7 @@ tags = [ "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" @@ -158,7 +159,7 @@ api where host.os.type == "windows" and "?:\\Windows\\System32\\RtkAudUService64.exe", "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" - ) and process.code_signature.trusted == true + ) and not ?process.code_signature.trusted == false ) ''' diff --git a/rules/windows/credential_access_wbadmin_ntds.toml b/rules/windows/credential_access_wbadmin_ntds.toml new file mode 100644 index 00000000000..2c6b29f0e10 --- /dev/null +++ b/rules/windows/credential_access_wbadmin_ntds.toml @@ -0,0 +1,84 @@ +[metadata] +creation_date = "2024/06/05" +integration = ["windows", "endpoint", "system"] +maturity = "production" +updated_date = "2024/06/05" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from +groups like Backup Operators can abuse the utility to perform credential access and compromise the domain. +""" +from = "now-9m" +index = [ + "winlogbeat-*", + "logs-endpoint.events.process-*", + "logs-windows.*", + "endgame-*", + "logs-system.security*", +] +language = "eql" +license = "Elastic License v2" +name = "NTDS Dump via Wbadmin" +references = [ + "https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960" +] +risk_score = 47 +rule_id = "d93e61db-82d6-4095-99aa-714988118064" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wbadmin.exe" or ?process.pe.original_file_name : "wbadmin.exe") and + process.args : "recovery" and process.command_line : "*ntds.dit*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique.subtechnique]] +id = "T1003.002" +name = "Security Account Manager" +reference = "https://attack.mitre.org/techniques/T1003/002/" + +[[rule.threat.technique.subtechnique]] +id = "T1003.003" +name = "NTDS" +reference = "https://attack.mitre.org/techniques/T1003/003/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index f119f947ba2..9572cd0247f 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2023/01/17" -integration = ["windows", "endpoint", "sentinel_one_cloud_funnel"] +integration = ["windows", "endpoint", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusu attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Antimalware Scan Interface DLL" @@ -104,7 +104,8 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index e93afa811f8..116a0f69944 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2021/01/19" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ when the name or location of a file is manipulated as a means of tricking a user benign file type but is actually executable code. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" @@ -35,6 +35,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" @@ -43,8 +44,7 @@ query = ''' file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and - file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and - not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl") + file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") ''' diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 53359cc1b12..584d337ab42 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/11/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -18,6 +18,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -40,6 +41,7 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 013245ca23b..85b1a7dc0c4 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Austin Songer"] @@ -88,6 +88,12 @@ type = "eql" query = ''' registry where host.os.type == "windows" and event.type in ("creation", "change") and + process.executable != null and + not process.executable : + ("?:\\Windows\\system32\\svchost.exe", + "?:\\Windows\\CCM\\CcmExec.exe", + "?:\\Windows\\System32\\DeviceEnroller.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmuninst.exe") and (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection" and registry.data.strings : ("0", "0x00000000")) or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" and diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index c00d4a008ab..85763af68a2 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2022/11/01" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ default) and is set to 1, then remote connections from all local members of Admi high-integrity tokens during negotiation. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Local Account TokenFilter Policy Disabled" @@ -35,7 +35,8 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", - "Data Source: SentinelOne" + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml new file mode 100644 index 00000000000..e3ee0189440 --- /dev/null +++ b/rules/windows/defense_evasion_reg_disable_enableglobalqueryblocklist.toml @@ -0,0 +1,79 @@ +[metadata] +creation_date = "2024/05/31" +integration = ["endpoint", "windows"] +maturity = "production" +updated_date = "2024/05/31" + +[rule] +author = ["Elastic"] +description = """ +Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain +DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can +modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation +and lateral movement. +""" +from = "now-9m" +index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"] +language = "eql" +license = "Elastic License v2" +name = "DNS Global Query Block List Modified or Disabled" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", + "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/" +] +risk_score = 47 +rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Sysmon" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type : "change" and +( + (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or + (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad") +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +name = "Impair Defenses" +reference = "https://attack.mitre.org/techniques/T1562/" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +name = "Disable or Modify Tools" +reference = "https://attack.mitre.org/techniques/T1562/001/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1557" +name = "Adversary-in-the-Middle" +reference = "https://attack.mitre.org/techniques/T1557/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 018f735ad8b..5e81dc0203b 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/09/03" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -39,7 +39,7 @@ A suspicious Zoom child process was detected, which may indicate an attempt to r such as command line, network connections, file writes and associated file signature details as well. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" @@ -97,7 +97,7 @@ This rule identifies a potential malicious process masquerading as `Zoom.exe` or risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 4369e04cdf3..13d80ec7f19 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows"] +integration = ["endpoint", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -43,6 +43,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -110,6 +111,7 @@ tags = [ "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 0df4a75f2b6..d70f49a5412 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "system", "windows"] +integration = ["endpoint", "system", "windows", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Whoami Process Activity" @@ -72,6 +72,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 5bead44db39..b8923fc73b7 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/08/21" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" @@ -25,7 +25,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_mmc_console_file_unusual_path.toml b/rules/windows/execution_via_mmc_console_file_unusual_path.toml new file mode 100644 index 00000000000..932370090b5 --- /dev/null +++ b/rules/windows/execution_via_mmc_console_file_unusual_path.toml @@ -0,0 +1,85 @@ +[metadata] +creation_date = "2024/06/19" +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2024/06/19" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use +MSC files for initial access and execution. +""" +from = "now-9m" +index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] +language = "eql" +license = "Elastic License v2" +name = "Microsoft Management Console File from Unusual Path" +references = ["https://www.elastic.co/security-labs/grimresource"] +risk_score = 73 +rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: SentinelOne", + "Data Source: Microsoft Defender for Endpoint" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.executable : "?:\\Windows\\System32\\mmc.exe" and process.args : "*.msc" and + not process.args : ("?:\\Windows\\System32\\*.msc", "?:\\Windows\\SysWOW64\\*.msc", "?:\\Program files\\*.msc", "?:\\Program Files (x86)\\*.msc") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.005" +name = "Visual Basic" +reference = "https://attack.mitre.org/techniques/T1059/005/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" +[[rule.threat.technique.subtechnique]] +id = "T1218.014" +name = "MMC" +reference = "https://attack.mitre.org/techniques/T1218/014/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml index 60d4797b805..7a6bf1ec0ad 100644 --- a/rules/windows/initial_access_exploit_jetbrains_teamcity.toml +++ b/rules/windows/initial_access_exploit_jetbrains_teamcity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2024/03/24" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -23,6 +23,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -41,6 +42,7 @@ tags = [ "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index f6a39710485..adc4d1cafb8 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies suspicious child processes of Microsoft Outlook. These child processe phishing activity. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Suspicious MS Outlook Child Process" @@ -75,7 +75,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 3b79b147137..e2dd298af15 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -36,7 +36,7 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Adobe Hijack Persistence" @@ -101,7 +101,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index d34fdd03120..2a5836043bf 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/18" -integration = ["endpoint", "windows", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Detects attempts to maintain persistence by creating registry keys using AppCert process using the common API functions to create processes. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" @@ -28,7 +28,7 @@ Hence for this rule to work effectively, users will need to add a custom ingest For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_group_modification_by_system.toml b/rules/windows/persistence_group_modification_by_system.toml new file mode 100644 index 00000000000..ee242c6f639 --- /dev/null +++ b/rules/windows/persistence_group_modification_by_system.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2024/06/26" +integration = ["system", "windows"] +maturity = "production" +updated_date = "2024/06/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate +that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting +vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"] +language = "eql" +license = "Elastic License v2" +name = "Active Directory Group Modification by SYSTEM" +risk_score = 47 +rule_id = "6f024bde-7085-489b-8250-5957efdf1caf" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Use Case: Active Directory Monitoring", + "Data Source: Active Directory", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +iam where winlog.api == "wineventlog" and event.code == "4728" and +winlog.event_data.SubjectUserSid : "S-1-5-18" and + +/* DOMAIN_USERS and local groups */ +not group.id : "S-1-5-21-*-513" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 4f551805628..5ccd1e2b17f 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/02/18" -integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender"] maturity = "production" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." min_stack_version = "8.13.0" -updated_date = "2024/06/11" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -34,7 +34,7 @@ Windows services typically run as SYSTEM and can be used as a privilege escalati testers may run a shell as a service to gain SYSTEM permissions. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"] language = "eql" license = "Elastic License v2" name = "System Shells via Services" @@ -81,7 +81,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml new file mode 100644 index 00000000000..20aa16f0d5b --- /dev/null +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2024/05/29" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/29" + +[rule] +author = ["Elastic"] +description = """ +Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll +functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges. +""" +from = "now-9m" +index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] +language = "eql" +license = "Elastic License v2" +name = "Unsigned DLL loaded by DNS Service" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://adsecurity.org/?p=4064", + "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll" +] +risk_score = 47 +rule_id = "5d676480-9655-4507-adc6-4eec311efff8" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where host.os.type == "windows" and event.category : ("library", "process") and + event.type : ("start", "change") and event.action : ("load", "Image loaded*") and + process.executable : "?:\\windows\\system32\\dns.exe" and + not ?dll.code_signature.trusted == true and + not file.code_signature.status == "Valid" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml new file mode 100644 index 00000000000..71f91b04127 --- /dev/null +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -0,0 +1,136 @@ +[metadata] +creation_date = "2024/06/05" +integration = ["endpoint", "windows"] +maturity = "production" +updated_date = "2024/06/05" + +[rule] +author = ["Elastic"] +description = """ +Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with +privileges from groups like Server Operators may change the ImagePath of services to executables under their control or +to execute commands. +""" +from = "now-9m" +index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via Service ImagePath Modification" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/" +] +risk_score = 47 +rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and process.executable != null and + event.action == "modification" and registry.value == "ImagePath" and + registry.key : ( + "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc", + "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker", + "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS", + "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT", + "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon", + "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv", + "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc", + "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks", + "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange", + "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC", + "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv", + "*\\WPDBusEnum", "*\\WSearch" + ) and + not ( + registry.data.strings : ( + "?:\\Windows\\system32\\*.exe", + "%systemroot%\\system32\\*.exe", + "%windir%\\system32\\*.exe", + "%SystemRoot%\\system32\\svchost.exe -k *", + "%windir%\\system32\\svchost.exe -k *" + ) and + not registry.data.strings : ( + "*\\cmd.exe", + "*\\cscript.exe", + "*\\ieexec.exe", + "*\\iexpress.exe", + "*\\installutil.exe", + "*\\Microsoft.Workflow.Compiler.exe", + "*\\msbuild.exe", + "*\\mshta.exe", + "*\\msiexec.exe", + "*\\msxsl.exe", + "*\\net.exe", + "*\\powershell.exe", + "*\\pwsh.exe", + "*\\reg.exe", + "*\\RegAsm.exe", + "*\\RegSvcs.exe", + "*\\regsvr32.exe", + "*\\rundll32.exe", + "*\\vssadmin.exe", + "*\\wbadmin.exe", + "*\\wmic.exe", + "*\\wscript.exe" + ) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index d0c4a672662..801b6587329 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/17" -integration = ["endpoint", "windows", "system"] +integration = ["endpoint", "windows", "system", "m365_defender"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/25" [transform] [[transform.osquery]] @@ -43,6 +43,7 @@ index = [ "logs-windows.*", "endgame-*", "logs-system.security*", + "logs-m365_defender.event-*" ] language = "eql" license = "Elastic License v2" @@ -121,6 +122,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", + "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml index 9b62ea0f761..4e5cfbd7fc3 100644 --- a/rules_building_block/collection_files_staged_in_recycle_bin_root.toml +++ b/rules_building_block/collection_files_staged_in_recycle_bin_root.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies files written to the root of the Recycle Bin folder instead of subdir the root of the Recycle Bin in preparation for exfiltration or to evade defenses. """ from = "now-119m" -index = ["logs-endpoint.events.file-*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -27,6 +27,8 @@ tags = [ "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Elastic Endgame", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/collection_outlook_email_archive.toml b/rules_building_block/collection_outlook_email_archive.toml index 3362ff8a2f4..0174d47261d 100644 --- a/rules_building_block/collection_outlook_email_archive.toml +++ b/rules_building_block/collection_outlook_email_archive.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies commands containing references to Outlook data files extensions, whic access, or modification of these files. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -27,6 +27,8 @@ tags = [ "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/command_and_control_bitsadmin_activity.toml b/rules_building_block/command_and_control_bitsadmin_activity.toml index 5090c481cdb..0b4b571cd60 100644 --- a/rules_building_block/command_and_control_bitsadmin_activity.toml +++ b/rules_building_block/command_and_control_bitsadmin_activity.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, async Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -27,6 +27,8 @@ tags = [ "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/command_and_control_certutil_network_connection.toml b/rules_building_block/command_and_control_certutil_network_connection.toml index c2e4b44ff6c..2a74561ad28 100644 --- a/rules_building_block/command_and_control_certutil_network_connection.toml +++ b/rules_building_block/command_and_control_certutil_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" bypass_bbr_timing = true [transform] @@ -70,7 +70,7 @@ Identifies certutil.exe making a network connection. Adversaries could abuse cer malware, from a remote URL. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Certutil" @@ -135,7 +135,7 @@ references = [ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/credential_access_win_private_key_access.toml b/rules_building_block/credential_access_win_private_key_access.toml index 9ae2286caca..dfa2a34ecad 100644 --- a/rules_building_block/credential_access_win_private_key_access.toml +++ b/rules_building_block/credential_access_win_private_key_access.toml @@ -2,14 +2,14 @@ creation_date = "2023/08/21" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] building_block_type = "default" description = "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\n" from = "now-119m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -24,6 +24,8 @@ tags = [ "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_aws_rds_snapshot_created.toml b/rules_building_block/defense_evasion_aws_rds_snapshot_created.toml new file mode 100644 index 00000000000..f825349247d --- /dev/null +++ b/rules_building_block/defense_evasion_aws_rds_snapshot_created.toml @@ -0,0 +1,65 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2024/06/22" +integration = ["aws"] +maturity = "production" +updated_date = "2024/06/25" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Identifies when an AWS RDS DB Snapshot is created. This can be used to evade defenses by allowing an attacker to bypass access controls +or cover their tracks by reverting an instance to a previous state. This is a [building block +rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) and does not generate alerts on +its own. It is meant to be used for correlation with other rules to detect suspicious activity. To generate alerts, create a +rule that uses this signal as a building block. +""" +false_positives = [ + """ + Legitimate manual or automated snapshots created for backups can trigger this rule. Ensure that the snapshots are authorized and align with your organization's policies. + """, +] +from = "now-60m" +index = ["filebeat-*", "logs-aws.cloudtrail-*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS RDS DB Snapshot Created" +risk_score = 21 +rule_id = "68c5c9d1-38e5-48bb-b1b2-8b5951d39738" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS RDS", + "Use Case: Asset Visibility", + "Tactic: Defense Evasion", + "Rule Type: BBR", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset: "aws.cloudtrail" and event.provider: "rds.amazonaws.com" + and event.action: ("CreateDBSnapshot" or "CreateDBClusterSnapshot") and event.outcome: "success" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1578" +name = "Modify Cloud Compute Infrastructure" +reference = "https://attack.mitre.org/techniques/T1578/" +[[rule.threat.technique.subtechnique]] +id = "T1578.001" +name = "Create Snapshot" +reference = "https://attack.mitre.org/techniques/T1578/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml index 8e6fdd61629..67ef9faf7f2 100644 --- a/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml +++ b/rules_building_block/defense_evasion_cmd_copy_binary_contents.toml @@ -2,14 +2,14 @@ creation_date = "2023/08/23" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] building_block_type = "default" description = "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\n" from = "now-119m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -25,6 +25,8 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_cmstp_execution.toml b/rules_building_block/defense_evasion_cmstp_execution.toml index 75a9ca7c70b..9b97d4ce024 100644 --- a/rules_building_block/defense_evasion_cmstp_execution.toml +++ b/rules_building_block/defense_evasion_cmstp_execution.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ service profiles, which accept installation information file (INF) files. Advers execution of malicious code by supplying INF files that contain malicious commands. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -29,6 +29,8 @@ tags = [ "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_service_path_registry.toml b/rules_building_block/defense_evasion_service_path_registry.toml index 7dbda2f6f28..4cb92d4fde5 100644 --- a/rules_building_block/defense_evasion_service_path_registry.toml +++ b/rules_building_block/defense_evasion_service_path_registry.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies attempts to modify a service path by an unusual process. Attackers ma for persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.registry-*", "endgame-*"] +index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -28,6 +28,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/defense_evasion_services_exe_path.toml b/rules_building_block/defense_evasion_services_exe_path.toml index 2cb09abc8f5..5035dd0c77e 100644 --- a/rules_building_block/defense_evasion_services_exe_path.toml +++ b/rules_building_block/defense_evasion_services_exe_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/29" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies attempts to modify a service path setting using sc.exe. Attackers may persistence or privilege escalation. """ from = "now-119m" -index = ["logs-endpoint.events.process-*", "endgame-*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -28,6 +28,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml index ff88b1d331f..547ba31f6a9 100644 --- a/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules_building_block/discovery_files_dir_systeminfo_via_cmd.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2022/11/01" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the execution of discovery commands to enumerate system information, Command Shell. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*"] +index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "System Information Discovery via Windows Command Shell" @@ -64,6 +64,7 @@ tags = [ "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/discovery_windows_system_information_discovery.toml b/rules_building_block/discovery_windows_system_information_discovery.toml index 3116404c902..a14dcf1d2d7 100644 --- a/rules_building_block/discovery_windows_system_information_discovery.toml +++ b/rules_building_block/discovery_windows_system_information_discovery.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/06" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Detects the execution of commands used to discover information about the system, compromising a system to gain situational awareness. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Windows System Information Discovery" diff --git a/rules_building_block/execution_settingcontent_ms_file_creation.toml b/rules_building_block/execution_settingcontent_ms_file_creation.toml index cef517d3a22..8e46fde29c9 100644 --- a/rules_building_block/execution_settingcontent_ms_file_creation.toml +++ b/rules_building_block/execution_settingcontent_ms_file_creation.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the suspicious creation of SettingContents-ms files, which have been execution while evading defenses. """ from = "now-9m" -index = ["logs-endpoint.events.file-*"] +index = ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Creation of SettingContent-ms Files" @@ -28,6 +28,8 @@ tags = [ "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/lateral_movement_wmic_remote.toml b/rules_building_block/lateral_movement_wmic_remote.toml index 27337528974..5819eb43638 100644 --- a/rules_building_block/lateral_movement_wmic_remote.toml +++ b/rules_building_block/lateral_movement_wmic_remote.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/24" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Identifies the use of wmic.exe to run commands on remote hosts. While this can b attackers can abuse this built-in utility to achieve lateral movement. """ from = "now-119m" -index = ["logs-endpoint.events.process-*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"] interval = "60m" language = "eql" license = "Elastic License v2" @@ -27,6 +27,8 @@ tags = [ "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", + "Data Source: Sysmon", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 6d056df15f7..8c35a6e8bb7 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -311,7 +311,8 @@ def test_required_tags(self): 'logs-windows.sysmon_operational-*': {'all': ['Data Source: Sysmon']}, 'logs-windows.powershell*': {'all': ['Data Source: PowerShell Logs']}, 'logs-sentinel_one_cloud_funnel.*': {'all': ['Data Source: SentinelOne']}, - 'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']} + 'logs-fim.event-*': {'all': ['Data Source: File Integrity Monitoring']}, + 'logs-m365_defender.event-*': {'all': ['Data Source: Microsoft Defender for Endpoint']} } for rule in self.all_rules: @@ -682,13 +683,19 @@ def test_integration_tag(self): failures.append(err_msg) # checks if an index pattern exists if the package integration tag exists + # and is of pattern logs-{integration}* integration_string = "|".join(indices) - if not re.search(rule_integration, integration_string): + if not re.search(f"logs-{rule_integration}*", integration_string): if rule_integration == "windows" and re.search("winlog", integration_string) or \ any(ri in [*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)] for ri in rule_integrations): continue - err_msg = f'{self.rule_str(rule)} {rule_integration} tag, index pattern missing.' + elif rule_integration == "apm" and \ + re.search("apm-*-transaction*|traces-apm*", integration_string): + continue + elif rule.contents.data.type == 'threat_match': + continue + err_msg = f'{self.rule_str(rule)} {rule_integration} tag, index pattern missing or incorrect.' failures.append(err_msg) # checks if event.dataset exists in query object and a tag exists in metadata diff --git a/tests/test_hunt_data.py b/tests/test_hunt_data.py index e1ba3ed8ad7..2c39fccb486 100644 --- a/tests/test_hunt_data.py +++ b/tests/test_hunt_data.py @@ -17,12 +17,13 @@ def test_toml_loading(self): example_toml = """ [hunt] author = "Elastic" + description = "Detects denial of service or resource exhaustion attacks." integration = "aws_bedrock.invocation" uuid = "dc181967-c32c-46c9-b84b-ec4c8811c6a0" name = "Denial of Service or Resource Exhaustion Attacks Detection" language = "ES|QL" license = "Elastic License v2" - query = 'SELECT * FROM logs' + query = ['SELECT * FROM logs'] notes = ["High token usage can strain system resources."] mitre = ["AML.T0034"] references = ["https://www.elastic.co"] @@ -43,6 +44,7 @@ def test_load_toml_files(self): toml_contents = toml_file.read_text() hunt = load_toml(toml_contents) self.assertTrue(hunt.author) + self.assertTrue(hunt.description) self.assertTrue(hunt.integration) self.assertTrue(hunt.uuid) self.assertTrue(hunt.name)